Beruflich Dokumente
Kultur Dokumente
Thanks Karanbir!
Disabling SELinux
Linux Internals
Virtual Filesystem /proc
Kernel Parameters
Sysctl Support
Disabling IPv6
/etc/sysctl.conf
/etc/sysctl.conf
net.ipv4.ip_for ward = 0 -> # Controls IP packet
for warding
net.ipv4.conf.default.rp_filter = 1 -> # Controls source
route verification
net.ipv4.conf.default.accept_source_route = 0 -> # Do
not accept source routing
kernel.sysrq = 0 -> # Controls the System Request
debugging functionality of the kernel
kernel.core_uses_pid = 1 -> # Controls whether core
dumps will append the PID to the core filename
net.ipv4.tcp_syncookies = 1 -> # Controls the use of TCP
syncookies
All Rights reser ved
/etc/sysctl.conf
net.bridge.bridge-nf-call-ip6tables = 0 -> # Disable
netfilter on bridges
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
kernel.panic=5 -> #Reboot 5 seconds after kernel panic
net.ipv4.tcp_fin_timeout = 15 -> # Decrease the time
default value for tcp_fin_timeout connection
net.ipv4.tcp_keepalive_time = 1800 -> # Decrease the
time default value for tcp_keepalive_time connection
net.ipv4.tcp_window_scaling = 0 -> # Turn off the
tcp_window_scaling
/etc/sysctl.conf
net.ipv4.tcp_sack = 0 -> # Turn off the tcp_sack
net.ipv4.tcp_timestamps = 0 -> # Turn off the tcp_timestamps
net.ipv4.icmp_echo_ignore_broadcasts = 1 -> # Enable ignoring
broadcasts request
net.ipv4.icmp_ignore_bogus_error_responses = 1 -> # Enable bad
error message Protection
net.ipv4.conf.all.log_martians = 1 -> # Log Spoofed Packets,
Source Routed Packets, Redirect Packets
kernel.shmmax = 268435456 -> # Set maximum amount of
memory allocated to shm to 256MB
/etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 1280 -> # Increases the
size of the socket queue (effectively, q0)
net.ipv4.tcp_mem = 57344 57344 65536 -> # Increase the
maximum total TCP buffer-space
allocatablenet.ipv4.tcp_wmem = 32768 65536 524288 ->
# Increase the maximum TCP write-buffer-space allocatable
net.ipv4.tcp_rmem = 98304 196608 1572864 -> # Increase
the maximum TCP read-buffer space allocatable
net.core.rmem_max = 524280 -> # Increase the maximum
receive socket buffer size
net.core.rmem_default = 524280 -> # Increase the default
receive socket buffer size
All Rights reser ved
/etc/sysctl.conf
net.core.wmem_max = 524280 -> # Increase the
maximum send socket buffer size
net.core.wmem_default = 524280 -> -> # Increase
the default send socket buffer size
net.ipv4.tcp_max_t w_buckets = 1440000 -> #
Increase the tcp-time-wait buckets pool size
net.ipv4.ip_local_port_range = 16384 65536 -> #
Allowed local port range
net.ipv4.ipfrag_high_thresh = 512000 -> #
Increase the maximum memory used to reassemble
IP fragments
All Rights reser ved
/etc/sysctl.conf
net.ipv4.ipfrag_low_thresh = 446464
net.core.optmem_max = 57344 -> # Increase the
maximum amount of option memory buffers
net.ipv4.conf.all.accept_redirects=0 -> # Do not
accept redirects. Avoid MiTM
net.ipv4.conf.all.send_redirects=0 -> # Forbid
sending ICMP redirect
net.ipv6.conf.all.disable_ipv6 = 1 -> #Disable IPv6
Understanding services
Understanding services
auditd
blk-availability
crond
iptables && ip6tables
lvm2-monitor
netfs
net work
postfix
rsyslogd
sshd
udev-post
IPTables
Hardening SSH
Hardening SSH
aes128-cbc, aes256-cbc
X11for warding y PermitEmptyPasswords -> If not needed, NO
All Rights reser ved
Hardening BASH
Define Read-Only environment variables -> To avoid
being over writen by users (declare r
HISTFILE=~/.bash_history && chattr +I .bash_history)
HISTFILESIZE -> Maximum number of lines to keep
HISTFSIZE -> Maximum stored commands in memory
HISTTIMEFORMAT -> Date/Time format to store
commands execution
Force to commit HISTFILE every time a command is
typed instead of logout -> readonly || declare -r
PROMPT_COMMAND="history -a"
All Rights reser ved
Hardening BASH
Limit Timeout login session -> declare -r TMOUT=120
Limits -> ulimit command
-c maximum size core files
-s maximum stack size
-t maximum CPU seconds
-u maximum time available per process users
-v maximum virtual memory size available for shell
-x maximum file block
Default file mask for every user -> umask 077 r wx --- ---
All Rights reser ved
Hardening Apache
Installation:
Use rpm package or static compilation
Right permissions: chown + chroot
chmod R go-r /etc/httpd
chmod R go-r /var/log/httpd
Hardening Apache
Listen [IP Address:]<Port>
Allow from Directives
Deny from All
Allow from 192.168.X.Y/24
With mod_security
SecSer verSignature Powered by Securizame 8.0
Patches Management
Optional package: yum-cron
/etc/sysconfig/yum-cron
Auditing Tools
Check security/health
Misconfigurations && Malware
Tools:
Lynis, checklist-linux,
rkhunter, chkrootkit
unhide
Filesystems Integrity
AFICK, AIDE, Tripwire
Lynis/checklistlinux
Logs
Send to a remote event collector: syslog
NTP (Net work Time Protocol)
LIDS: OSSEC
OSSEC
Conclusions