RHEL6 Installation and Security Bench Marking Recommendations – Part4

Network Configuration and Firewalls

This section provides guidance for secure network and firewall configuration.

4.1 Modify Network Parameters (Host Only)

The following network parameters determine if the system is to act as a host only. A system is considered host only if the system has a single interface, or has multiple interfaces but will not be configured as a router.

4.1.1 Disable IP Forwarding

The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0.

Rationale:

Setting the flag to 0 ensures that a server with multiple interfaces (for example, a hard proxy), will never be able to forward packets, and therefore, never serve as a router.

Audit:

Perform the following to determine if net.ipv4.ip_forward is enabled on the system.

# /sbin/sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 0

Remediation:

Set the net.ipv4.ip_forward parameter to 0 in /etc/sysctl.conf:

net.ipv4.ip_forward=0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.ip_forward=0

# /sbin/sysctl -w net.ipv4.route.flush=1

4.1.2 Disable Send Packet Redirects

ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects.

Rationale:

An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system.

Audit:

Perform the following to determine if send packet redirects is disabled.

# /sbin/sysctl net.ipv4.conf.all.send_redirects net.ipv4.conf.all.send_redirects = 0

# /sbin/sysctl net.ipv4.conf.default.send_redirects net.ipv4.conf.default.send_redirects = 0

Remediation:

Set the net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects parameters to 0 in /etc/sysctl.conf:

net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0

# /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0

# /sbin/sysctl -w net.ipv4.route.flush=1

4.2 Modify Network Parameters (Host and Router)

The following network parameters determine if the system is to act as a router. A system acts as a router if it has at least two interfaces and is configured to perform routing functions.

4.2.1 Disable Source Routed Packet Acceptance

In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used.

Rationale:

Setting net.ipv4.conf.all.accept_source_route and

net.ipv4.conf.default.accept_source_route to 0 disables the system from accepting source routed packets. Assume this server was capable of routing packets to Internet routable addresses on one interface and private addresses on another interface. Assume that the private addresses were not routable to the Internet routable addresses and vice versa. Under normal routing circumstances, an attacker from the Internet routable addresses could not use the server as a way to reach the private address servers. If, however, source routed packets were allowed, they could be used to gain access to the private address systems as the route could be specified, rather than rely on routing protocols that did not allow this routing.

Audit:

Perform the following to determine if accepting source routed packets is disabled.

# /sbin/sysctl net.ipv4.conf.all.accept_source_route net.ipv4.conf.all.accept_source_route = 0

# /sbin/sysctl net.ipv4.conf.default.accept_source_route net.ipv4.conf.default.accept_source_route = 0

Remediation:

Set the net.ipv4.conf.all.accept_source_route and net.ipv4.conf.default.accept_source_route parameters to 0 in /etc/sysctl.conf:

net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0

# /sbin/sysctl -w net.ipv4.conf.default.accept_source_route=0 # /sbin/sysctl -w net.ipv4.route.flush=1

4.2.2 Disable ICMP Redirect Acceptance

ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won’t allow outsiders to update the system’s routing tables.

Rationale:

Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.

Audit:

Perform the following to determine if ICMP redirect messages will be rejected.

# /sbin/sysctl net.ipv4.conf.all.accept_redirects net.ipv4.conf.all.accept_redirects = 0

# /sbin/sysctl net.ipv4.conf.default.accept_redirects net.ipv4.conf.default.accept_redirects = 0

Remediation:

Set the net.ipv4.conf.all.accept_redirects and net.ipv4.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf:

net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0

# /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0

# /sbin/sysctl -w net.ipv4.route.flush=1

4.2.3 Disable Secure ICMP Redirect Acceptance

Level 2

Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure.

Rationale:

It is still possible for even known gateways to be compromised. Setting net.ipv4.conf.all.secure_redirects to 0 protects the system from routing table updates by possibly compromised known gateways.

Audit:

Perform the following to determine if ICMP redirect messages will be rejected from known gateways.

# /sbin/sysctl net.ipv4.conf.all.secure_redirects net.ipv4.conf.all.secure_redirects = 0

# /sbin/sysctl net.ipv4.conf.default.secure_redirects net.ipv4.conf.default.secure_redirects = 0

Remediation:

Set the net.ipv4.conf.all.secure_redirects and net.ipv4.conf.default.secure_redirects parameters to 0 in /etc/sysctl.conf:

net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.conf.all.secure_redirects=0

# /sbin/sysctl -w net.ipv4.conf.default.secure_redirects=0

# /sbin/sysctl -w net.ipv4.route.flush=1 4.2.4 Log Suspicious Packets

When enabled, this feature logs packets with un-routable source addresses to the kernel log.

Rationale:

Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their server.

Audit:

Perform the following to determine if suspicious packets are logged.

# /sbin/sysctl net.ipv4.conf.all.log_martians net.ipv4.conf.all.log_martians = 1

# /sbin/sysctl net.ipv4.conf.default.log_martians net.ipv4.conf.default.log_martians = 1

Remediation:

Set

the net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians parameters to 1 in /etc/sysctl.conf:

net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 net.ipv4.route.flush=1

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.conf.all.log_martians=1

# /sbin/sysctl -w net.ipv4.conf.default.log_martians=1

# /sbin/sysctl -w net.ipv4.route.flush=1

4.2.5 Enable Ignore Broadcast Requests

Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses.

Rationale:

Accepting ICMP echo and timestamp requests with broadcast or multicast destinations for your network could be used to trick your host into starting (or participating) in a Smurf attack. A Smurf attack relies on an attacker sending large amounts of ICMP broadcast messages with a spoofed source address. All hosts receiving this message and responding would send echo-reply messages back to the spoofed address, which is probably not routable. If many hosts respond to the packets, the amount of traffic on the network could be significantly multiplied.

Audit:

Perform the following to determine if all ICMP echo and timestamp requests to broadcast and multicast addresses will be ignored.

# /sbin/sysctl net.ipv4.icmp_echo_ignore_broadcasts net.ipv4.icmp_echo_ignore_broadcasts = 1

Remediation:

Set the net.ipv4.icmp_echo_ignore_broadcasts parameter to 1 in /etc/sysctl.conf:

net.ipv4.icmp_echo_ignore_broadcasts=1

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

# /sbin/sysctl -w net.ipv4.route.flush=1

4.2.6 Enable Bad Error Message Protection

Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages.

Rationale:

Some routers (and some attackers) will send responses that violate RFC-1122 and attempt to fill up a log file system with many useless error messages.

Audit:

Perform the following to determine if bogus messages will be ignored.

# /sbin/sysctl net.ipv4.icmp_ignore_bogus_error_responses net.ipv4.icmp_ignore_bogus_error_responses = 1

Remediation:

Set the net.ipv4.icmp_ignore_bogus_error_responses parameter to 1 in /etc/sysctl.conf:

net.ipv4.icmp_ignore_bogus_error_responses=1

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1

# /sbin/sysctl -w net.ipv4.route.flush=1

4.2.7 Enable RFC-recommended Source Route Validation

Level 2

Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set).

Rationale:

Setting these flags is a good way to deter attackers from sending your server bogus packets that cannot be responded to. One instance where this feature breaks down is if asymmetrical routing is employed. This is would occur when using dynamic routing protocols (bgp, ospf, etc) on your system. If you are using asymmetrical routing on your server, you will not be able to enable this feature without breaking the routing.

Audit:

Perform the following to determine if RFC-recommended source route validation is enabled.

# /sbin/sysctl net.ipv4.conf.all.rp_filter net.ipv4.conf.all.rp_filter = 1

# /sbin/sysctl net.ipv4.conf.default.rp_filter net.ipv4.conf.default.rp_filter = 1

Remediation:

Set the net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter parameters to 1 in /etc/sysctl.conf:

net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.conf.all.rp_filter=1

# /sbin/sysctl -w net.ipv4.conf.default.rp_filter=1

# /sbin/sysctl -w net.ipv4.route.flush=1 4.2.8 Enable TCP SYN Cookies

When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue.

Rationale:

Attackers use SYN flood attacks to perform a denial of service attacked on a server by sending many SYN packets without completing the three way handshake. This will quickly use up slots in the kernel’s half-open connection queue and prevent legitimate connections from succeeding. SYN cookies allow the server to keep accepting valid connections, even if under a denial of service attack.

Audit:

Perform the following to determine if TCP SYN Cookies is enabled.

# /sbin/sysctl net.ipv4.tcp_syncookies net.ipv4.tcp_syncookies = 1

Remediation:

Set the net.ipv4.tcp_syncookies parameter to 1 in /etc/sysctl.conf: net.ipv4.tcp_syncookies=1

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv4.tcp_syncookies=1

# /sbin/sysctl -w net.ipv4.route.flush=1

4.3 Wireless Networking

4.3.1 Deactivate Wireless Interfaces

Wireless networking is used when wired networks are unavailable. Red Hat contains a wireless tool kit to allow system administrators to configure and use wireless networks.

Rationale:

If wireless is not to be used, wireless devices can be disabled to reduce the potential attack surface.

Audit:

Perform the following to determine if wireless interfaces are active.

# ifconfig -a

Validate that all interfaces using wireless are down.

Remediation:

Use the following commands to list all interfaces and identify devices with wireless interfaces. Once identified, shutdown the interface and remove it.

# ifconfig -a

# iwconfig

# ifdown <interface>

# rm /etc/sysconfig/network-scripts/ifcfg-<interface>

4.4 IPv6

IPv6 is a networking protocol that supersedes IPv4. It has more routable addresses and has built in security

4.4.1 Configure IPv6

If IPv6 is to be used, follow this section of the benchmark to configure IPv6.

4.4.1.1 Disable IPv6 Router Advertisements

This setting disables the systems ability to accept router advertisements

Rationale:

It is recommended that systems not accept router advertisements as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.

Audit:

Perform the following to determine if the system is disabled from accepting router advertisements:

# /sbin/sysctl net.ipv6.conf.all.accept_ra net.ipv6.conf.all.accept_ra = 0

# /sbin/sysctl net.ipv6.conf.default.accept_ra net.ipv6.conf.default.accept_ra = 0

Remediation:

Set the net.ipv6.conf.all.accept_ra and net.ipv6.conf.default.accept_ra parameter to 0 in /etc/sysctl.conf:

net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv6.conf.all.accept_ra=0

# /sbin/sysctl -w net.ipv6.conf.default.accept_ra=0

# /sbin/sysctl -w net.ipv6.route.flush=1

4.4.1.2 Disable IPv6 Redirect Acceptance

This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic.

Rationale:

It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes.

Audit:

Perform the following to determine if IPv6 redirects are disabled.

# /sbin/sysctl net.ipv6.conf.all.accept_redirects net.ipv6.conf.all.accept_redirect = 0

# /sbin/sysctl net.ipv6.conf.default.accept_redirects net.ipv6.conf.default.accept_redirect = 0

Remediation:

Set the net.ipv6.conf.all.accept_redirects and net.ipv6.conf.default.accept_redirects parameters to 0 in /etc/sysctl.conf:

net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0

Modify active kernel parameters to match:

# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects=0

# /sbin/sysctl -w net.ipv6.conf.default.accept_redirects=0

# /sbin/sysctl -w net.ipv6.route.flush=1

4.4.2 Disable IPv6

Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6.

Rationale:

If IPv6 is not to be used, it is recommended that it be disabled to reduce the attack surface of the system.

Audit:

Perform the following to determine if IPv6 is enabled

# grep NETWORKING_IPV6 /etc/sysconfig/network

NETWORKING_IPV6=no

# grep IPV6INIT /etc/sysconfig/network

IPV6INIT=no

# grep ipv6 /etc/modprobe.d/ipv6.conf options ipv6 disable=1

Remediation:

Edit /etc/sysconfig/network, and add the following line:

NETWORKING_IPV6=no IPV6INIT=no

Create the file /etc/modprobe.d/ipv6.conf and add the following lines:

options ipv6 disable=1

Perform the following command to turn ip6tables off:

# /sbin/chkconfig ip6tables off

4.5 Install TCP Wrappers

4.5.1 Install TCP Wrappers

TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it.

Rationale:

TCP Wrappers provide a good simple access list mechanism to services that may not have that support built in. It is recommended that all services that can support TCP Wrappers, use it.

Audit:

Perform the following to determine if TCP Wrappers is enabled.

# yum list tcp_wrappers tcp_wrappers.<hardware platform> <release> <installed>

Remediation:

# yum install tcp_wrappers

To verify if a service supports TCP Wrappers, run the following command:

# ldd <path-to-daemon> | grep libwrap.so

If there is any output, then the service supports TCP Wrappers.

4.5.2 Create /etc/hosts.allow

The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file.

Rationale:

The /etc/hosts.allow file supports access control by IP and helps ensure that only authorized systems can connect to the server.

Audit:

Run the following command to verify the contents of the /etc/hosts.allow file.

# cat /etc/hosts.allow

[contents will vary, depending on your network configuration]

Remediation:

Create /etc/hosts.allow:

# echo “ALL: <net>/<mask>, <net>/<mask>, …” >/etc/hosts.allow

where each <net>/<mask> combination (for example, “192.168.1.0/255.255.255.0”) represents one network block in use by your organization that requires access to this system.

4.5.3 Verify Permissions on /etc/hosts.allow

The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate.

Rationale:

It is critical to ensure that the /etc/hosts.allow file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.

Audit:

Run the following command to determine the permissions on the /etc/hosts.allow file.

# /bin/ls -l /etc/hosts.allow

-rw-r–r– 1 root root 2055 Jan 30 16:30 /etc/hosts.allow

Remediation:

If the permissions of the /etc/hosts.allow file are incorrect, run the following command to correct them:

# /bin/chmod 644 /etc/hosts.allow

4.5.4 Create /etc/hosts.deny

The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file.

Rationale:

The /etc/hosts.deny file serves as a failsafe so that any host not specified in /etc/hosts.allow is denied access to the server.

Audit:

Verify that /etc/hosts.deny exists and is configured to deny all hosts not explicitly listed in /etc/hosts.allow:

# grep “ALL: ALL” /etc/hosts.deny ALL: ALL

Remediation:

Create /etc/hosts.deny:

# echo “ALL: ALL” >> /etc/hosts.deny

4.5.5 Verify Permissions on /etc/hosts.deny

The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate.

Rationale:

It is critical to ensure that the /etc/hosts.deny file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.

Audit:

Run the following command to determine the permissions on the /etc/hosts.deny file.

# /bin/ls -l /etc/hosts.deny

-rw-r–r– 1 root root 2055 Jan 30 16:30 /etc/hosts.deny

Remediation:

If the permissions of the /etc/hosts.deny file are incorrect, run the following command to correct them:

# /bin/chmod 644 /etc/hosts.deny

4.6 Uncommon Network Protocols

Red Hat Linux supports several network protocols that are not commonly used. If these protocols are not needed, it is recommended that they be disabled in the kernel.

4.6.1 Disable DCCP

The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide insequence delivery.

Rationale:

If the protocol is not required, it is recommended that the drivers not be installed to reduce the potential attack surface.

Audit:

Perform the following to determine if DCCP is disabled.

# grep “install dccp /bin/true” /etc/modprobe.d/CIS.conf install dccp /bin/true

Remediation:

# echo “install dccp /bin/true” >> /etc/modprobe.d/CIS.conf

4.6.2 Disable SCTP

The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP.

Rationale:

If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.

Audit:

Perform the following to determine if SCTP is disabled.

# grep “install sctp /bin/true” /etc/modprobe.d/CIS.conf install sctp /bin/true

Remediation:

# echo “install sctp /bin/true” >> /etc/modprobe.d/CIS.conf

4.6.3 Disable RDS

The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation.

Rationale:

If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.

Audit:

Perform the following to determine if RDS is disabled.

# grep “install rds /bin/true” /etc/modprobe.d/CIS.conf install rds /bin/true

Remediation:

# echo “install rds /bin/true” >> /etc/modprobe.d/CIS.conf

4.6.4 Disable TIPC

The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes.

Rationale:

If the protocol is not being used, it is recommended that kernel module not be loaded, disabling the service to reduce the potential attack surface.

Audit:

Perform the following to determine if TIPC is disabled.

# grep “install tipc /bin/true” /etc/modprobe.d/CIS.conf install tipc /bin/true

Remediation:

# echo “install tipc /bin/true” >> /etc/modprobe.d/CIS.conf

4.7 Enable IPtables

IPtables is an application that allows a system administrator to configure the IPv4 tables, chains and rules provided by the Linux kernel firewall.

Rationale:

IPtables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv4 addresses and ports.

Audit:

Perform the following to determine if IPtables is enabled:

# chkconfig –list iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Remediation:

# service iptables restart

# chkconfig iptables on

4.8 Enable IP6tables

IP6tables is an application that allows a system administrator to configure the IPv6 tables, chains and rules provided by the Linux kernel firewall.

Rationale:

IP6tables provides extra protection for the Linux system by limiting communications in and out of the box to specific IPv6 addresses and ports.

Note: IP6Tables should only be enabled if IPv6 has been enabled on your system.

Audit:

Perform the following to determine if IP6Tables is enabled:

# chkconfig –list ip6tables ip6tables 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Remediation:

# service ip6tables restart # chkconfig ip6tables on