#Núcleo de las distribuciones basadas en Metadistros Núcleo de las distribuciones basadas en Metadistros 3. Divisiones del núcleo de metadistros 5. Propuestas de BlueSock Logotipo de metadistros 4. Cambios propuestos a la configuración por defecto de Debian Anterior Siguiente _________________________________________________________________ 4. Cambios propuestos a la configuración por defecto de Debian Importante Los cambios que se muestran a continuación, han de ser discutidos y mejorados por los desarrolladores de metadistros: 4.1. Uso de shadow passwords y claves md5 Todo sistema basado en metadistros, debería llevar activas las shadow passwords y las claves con encriptación md5. Para obtener las shadow passwords, si no se hace con la instalación oficial de Debian, se ha de ejecutar: pwconv, grpconv y finalmente shadowconfig on Si queremos utilizar las claves md5, hemos de añadir a los archivos /etc/pam.d/login y /etc/pam.d/passwd, la palabra md5 en la siguiente línea: password required pam_unix.so nullok obscure min=4 max=8 4.2. Eurocastellanizar el sistema Si se trata de una distribución destinada a usuarios hispanoparlantes, ejecutar el script eurocastellanizar. Una vez realizado esto, añadir las siguientes locales al archivo '/etc/locales.gen' y ejecutar locale-gen. ca_ES.ISO-8859-1 ca_ES.ISO-8859-15@euro es_ES.ISO-8859-1 es_ES.ISO-8859-15@euro eu_ES.ISO-8859-1 eu_ES.ISO-8859-15@euro gl_ES.ISO-8859-1 gl_ES.ISO-8859-15@euro 4.3. Eliminar servicios no importantes de /etc/inetd.conf Quitar los servicios "discard", "daytime", "time" del archivo de configuración del superservidor inetd (update-inetd) - si es necesario sustituirlo por xinetd. 4.4. Posibles opciones para el /etc/fstab Algunas opciones que me parecen interesantes para el /etc/fstab # /etc/fstab: Información estática del sistema de ficheros. # # /dev/ide/host0/bus0/target0/lun0/part5 / reiserfs rw,nosuid, dev , exec,auto,nouser,async 0 0 /dev/ide/host0/bus0/target0/lun0/part1 /boot reiserfs ro,nosuid,nodev ,noexec,auto,nouser,async 0 0 /dev/disco/root /root reiserfs rw,nosuid,nodev , exec,auto,nouser,async 0 0 /dev/disco/home /home reiserfs rw,nosuid,nodev ,noexec,auto,nouser,async 0 0 /dev/disco/tmp /tmp reiserfs rw,nosuid,nodev , exec,auto,nouser,async 0 0 /dev/disco/usr /usr reiserfs ro,nosuid,nodev , exec,auto,nouser,async 0 0 /dev/disco/var /var reiserfs rw,nosuid,nodev ,noexec,auto,nouser,async 0 0 /dev/disco/log /var/log reiserfs rw,nosuid,nodev ,noexec,auto,nouser,async 0 0 /dev/disco/spool /var/spool reiserfs rw,nosuid,nodev ,noexec,auto,nouser,async 0 0 /dev/sandisco/setuid /mnt/setuid reiserfs ro, suid,nodev , exec,auto,nouser,async 0 0 /dev/ide/host0/bus0/target0/lun0/part2 none swap sw,pri=1 0 0 proc /proc proc defaults 0 0 /dev/floppy/0 /floppy auto rw,nosuid,nodev ,noexec,auto, user,async 0 0 /dev/ide/host0/bus1/target0/lun0/cd /cdrom iso9660 ro,nosuid,nodev ,noexec,auto, user,async 0 0 4.5. /etc/apt/apt.conf Si se han aplicado las opciones del archivo /etc/fstab, sería conveniente incluir estas en el archivo /etc/apt/apt.conf. DPkg { Pre-Invoke { "mount / -o remount,rw" }; Pre-Invoke { "mount /usr -o remount,rw" }; Pre-Invoke { "mount /boot -o remount,rw" }; Pre-Invoke { "mount /tmp -o remount,exec" }; Pre-Invoke { "mount /var -o remount,exec" }; Post-Invoke { "mount / -o remount,ro" }; Post-Invoke { "mount /usr -o remount,ro" }; Post-Invoke { "mount /boot -o remount,ro" }; Post-Invoke { "mount /tmp -o remount,noexec" }; Post-Invoke { "mount /var -o remount,noexec" }; }; 4.6. /etc/console-tools/config Añadimos soporte para el Euro en consola. # # Soporte para el Euro -> ¤ # SCREEN_FONT=lat0-sun16 APP_CHARSET_MAP=iso15 # #DO_VCSTIME=yes # # Forget this one unless you _know_ it is necessary for your font: # # Soporte para el Euro -> ¤ # SCREEN_FONT_vc1=lat0-sun16 SCREEN_FONT_vc2=lat0-sun16 SCREEN_FONT_vc3=lat0-sun16 SCREEN_FONT_vc4=lat0-sun16 SCREEN_FONT_vc5=lat0-sun16 SCREEN_FONT_vc6=lat0-sun16 4.7. /etc/dpkg/dselect.cfg Añadir la palabra 'expert' a /etc/dpkg/dselect.cfg. 4.8. /etc/network/ Añadir el archivo 'interfaces-secure', con el siguiente contenido: # Script-name: /etc/network/interface-secure # Modifies some default behaviour in order to secure against # some TCP/IP spoofing & attacks # # Contributed by Dariusz Puchalak # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # broadcast echo protection enabled echo 0 > /proc/sys/net/ipv4/ip_forward # ip forwarding disabled echo 1 > /proc/sys/net/ipv4/tcp_syncookies # TCP syn cookie protection enable d # Log packets with impossible addresses # but be careful with this on heavy loaded web servers echo 1 >/proc/sys/net/ipv4/conf/all/log_martians # defragging protection always enabled echo 1 > /proc/sys/net/ipv4/ip_always_defrag # bad error message protection enabled echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # now ip spoofing protection for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # and finally some more things: # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Log Spoofed Packets, Source Routed Packets, Redirect Packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done Nota Para interfaces que se configuran vía DHCP, hacer lo siguiente: crear un nuevo archivo denominado '/etc/network/interfaces-arranque' en el cual se ha de añadir la siguiente línea a la configuración de la tarjeta de red de Internet, por ejemplo: pre-up /etc/network/interface-secure Una vez hecho esto, se edita el archivo '/etc/network/interfaces' y se añade lo siguiente a la definición de una interfaz de red: pre-up /etc/network/interface-secure up /etc/init.d/rc_firewall start Siendo rc_firewall, el cortafuegos. finalmente, modificar el archivo '/etc/init.d/networking' para que se llame al archivo /etc/network/interfaces-arranque en lugar de al /etc/network/interfaces, en al arranque. Nota Para interfaces con direcciones fijas, hacer lo siguiente: Añadir la siguiente línea al archivo '/etc/network/interfaces': pre-up /etc/network/interface-secure 4.9. PAM Comentarios a la configuración por defecto de las PAM: * Añadir los grupos 'wheel' y 'nosu'. En el primero irán los usuarios a los que les está permitido hacer uso de 'su', y a los que no le está permitido, añadirlos a 'nosu'. * chfn, chsh y cron: quitar la entrada 'nullok' * login * Descomentar las líneas: auth required pam_issue.so issue=/etc/issue auth optional pam_group.so account requisite pam_time.so account required pam_access.so session required pam_limits.so * Eliminar las entradas 'nullok' * Comentar la línea: # password required pam_unix.so nullok obscure min=4 max=8 md5 * Descomentar y modificar las líneas siguientes, para que queden: password required pam_cracklib.so retry=3 minlen=8 difok= 4 password required pam_unix.so use_authtok md5 * other * Comentar o borrar las líneas por defecto y añadir las siguientes: auth required pam_securetty.so auth required pam_unix_auth.so auth required pam_warn.so auth required pam_deny.so account required pam_unix_acct.so account required pam_warn.so account required pam_deny.so password required pam_unix_passwd.so password required pam_warn.so password required pam_deny.so session required pam_unix_session.so session required pam_warn.so session required pam_deny.so * passwd * Comentar la línea: password required pam_unix.so nullok obscure min=4 max=8 md 5 * Descomentar y modificar las dos últimas líneas para que aparezcan como: password required pam_cracklib.so retry=3 minlen=8 difok= 4 password required pam_unix.so use_authtok md5 * Eliminar las entradas 'nullok' * ssh * Comentar la línea: password required pam_unix.so * Descomentar y modificar las dos últimas líneas para que aparezcan como: password required pam_cracklib.so retry=3 minlen=8 difok= 4 password required pam_unix.so use_authtok md5 * su * Descomentar y modificar las líneas: auth required pam_wheel.so group=wheel debug auth required pam_wheel.so deny group=nosu account requisite pam_time.so session required pam_limits.so 4.10. /etc/security/limits.conf Configuración propuesta: * hard core 0 * soft nofile 100 * hard rss 10000 * hard nproc 150 * soft fsize 50000 www-data soft nofile 100000 @usuarios hard core 0 @usuarios hard rss 2000 @usuarios hard nproc 15 @usuarios hard cpu 2 @usuarios hard nofile 30 @usuarios hard fsize 10000 @usuarios hard memlock 5000 @usuarios hard data 1000 @usuarios hard maxlogins 4 @usuarios hard priority 17 Si en nuestro sistema tenemos un usuario, podríamos añadir: #nombreusuario soft fsize 3000000 nombreusuario hard nofile 10000000 4.11. /etc/ssh/ Configuracion propuesta para estos archivos: * ssh_config: añadir lo siguiente: Host * Protocol 2 Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes 256-cbc Compression yes HostKeyAlgorithms ssh-dss,ssh-rsa * sshd_config: añadir lo siguiente: 4.12. /etc/group Si tenemos instalado el parche de grsecurity, y utilizamos la configuración del los núcleos de metadistros, tendríamos que añadir los siguientes grupos: privileged:x:2000: trustedpath:x:2002: socketall:x:2004: socketclient:x:2005: socketserver:x:2006: auditar:x:2007: Aviso El nombre de los grupos es orientativo, lo que es importate es hacer coincidir los "gid" con aquellos que se añadieron en la configuración de grsecurity cuando se compiló en kernel. 4.13. /etc/hosts.allow Añadir "sshd: ALL" si es necesario. 4.14. /etc/hosts.deny Lineas propuestas para incorporarlas a este archivo: # Desautorizar a todos los hosts con nombre sospechoso ALL: PARANOID # Desautorizar a todos los hosts ALL:ALL 4.15. /etc/inittab Comentar la línea: #ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now 4.16. /etc/issue, /etc/issue.net y /etc/motd Añadir la información que se crea conveniente... 4.17. /etc/sysctl.conf Opciones propuestas: # # /etc/sysctl.conf - Configuration file for setting system variables # See sysctl.conf (5) for information. # # ## # Activamos low-latency # # kernel.lowlatency=1 ############################################# # Mejorando el rendimiento del servidor web # ############################################# # # Máximo número de archivos abiertos # fs/file-max=150000 # # Aumentamos el número de en la tabla de conexiones # net/ipv4/ip_conntrack_max=524288 # # Aumentamos la cola de backlog # net/ipv4/tcp_max_syn_backlog=4096 ############################## # Buffer Overflow Protection # ############################## # _______________________ # Read-only kernel memory # # root will not be able to modify the contents of # kernel memory. If module support is removed in addition to enabling # this option, the ability of an attacker to insert foreign code into # a running kernel is removed. # # kernel/grsecurity/read_only_kmem=1 # _______________________ # Fixed mmap restrictions # # If you say Y here, it will be impossible for an attacker to bypass the # PaX buffer overflow protection by mmaping an executable memory region # with a specific address set. # # kernel/grsecurity/mmap_fixed_restrict=1 ########################## # Filesystem protections # ########################## # ____________________ # Linking restrictions # # /tmp race exploits will be prevented, since users # will no longer be able to follow symlinks owned by other users in # world-writeable +t directories (i.e. /tmp), unless the owner of the # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. # kernel/grsecurity/linking_restrictions=1 # _________________ # FIFO restrictions # # Users will not be able to write to FIFOs they don't # own in world-writeable +t directories (i.e. /tmp), unless the owner of # the FIFO is the same owner of the directory it's held in. # kernel/grsecurity/fifo_restrictions=1 # _______________________ # Secure file descriptors # # set*id binaries will be protected from data spoofing # attacks (eg. making a program read /etc/shadow). The patches do this # by opening up /dev/null to any of the stdin, stdout, stderr file descri ptors # for set*id binaries that are open and run by a user that is not the own er # of the file. # # kernel/grsecurity/secure_fds=1 # ________________________ # Chroot jail restrictions # # # * Restricted signals # # Processes inside a chroot will not be able to send # signals outside of the chroot. The only signals allowed are nu ll # signals which perform no action, and the parent process sending # a certain signal to its child. # ##kernel/grsecurity/chroot_restrict_sigs=1 # # * Deny mounts # # Processes inside a chroot will not be able to # mount or remount filesystems. # kernel/grsecurity/chroot_deny_mount=1 # # * Deny double-chroots # # Processes inside a chroot will not be able to chroot # again. This is a widely used method of breaking out of a chroo t jail # and should not be allowed. # kernel/grsecurity/chroot_deny_chroot=1 # # * Enforce chdir("/") on all chroots # # The current working directory of all newly-chrooted # applications will be set to the the root directory of the chroo t. # The man page on chroot(2) states: # Note that this call does not change the current working # directory, so that `.' can be outside the tree rooted at # `/'. In particular, the super-user can escape from a # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. # # It is recommended that you say Y here, since it's not known to break # any software. # #kernel/grsecurity/chroot_deny_chdir=1 # # * Deny (f)chmod +s # # Processes inside a chroot will not be able to chmod # or fchmod files to make them have suid or sgid bits. This prot ects # against another published method of breaking a chroot. # kernel/grsecurity/chroot_deny_chmod=1 # # * Deny mknod # # Processes inside a chroot will not be allowed to # mknod. The problem with using mknod inside a chroot is that it # would allow an attacker to create a device entry that is the sa me # as one on the physical root of your system, which could range f rom # anyhing from the console device to a device for your harddrive (which # they could then use to wipe the drive or steal data). It is re commended # that you say Y here, unless you run into software incompatibili ties. # kernel/grsecurity/chroot_deny_mknod=1 # # * Deny ptraces # # Processes inside a chroot will not be able to ptrace # other processes. Ptracing a process allows one to attach and a lter the # flow of execution for the process. It is strongly recommended that you # say Y here. # ##kernel/grsecurity/chroot_deny_ptrace=1 # # * Restrict priority changes # # Processes inside a chroot will not be able to raise # the priority of processes in the chroot, or alter the priority of # processes outside the chroot. This provides more security than simply # removing CAP_SYS_NICE from the process' capability set. # kernel/grsecurity/chroot_restrict_nice=1 # _____________________________________ # Capability restrictions within chroot # # The capabilities on all root processes within a # chroot jail will be lowered to stop module insertion, raw i/o, # system and net admin tasks, transferring capabilities, and # tty configuration tasks. This is left an option because it breaks # some apps. Disable this if your chrooted apps are having # problems performing those kinds of tasks. # kernel/grsecurity/chroot_caps=1 # _____________________ # Secure keymap loading # # KDSKBENT and KDSKBSENT ioctl calls being # called by unprivileged users will be denied. If you answer N, # everyone with access to the console will be able to modify keyboard # bindings. # # kernel/grsecurity/secure_kbmap=1 #################### # Security Logging # #################### # _________________________ # Single group for auditing # # the exec, chdir, (un)mount, and ipc logging features # will only operate on a group you specify. This option is recommended # if you only want to watch certain users instead of having a large # amount of logs from the entire system. # kernel/grsecurity/audit_group=1 # # * GID for auditing # # Here you can choose the GID that will be the target of # kernel auditing. Remember to add the users you want to log # to the GID specified here. If the sysctl option is # enabled, whatever you choose here won't matter. You'll have to # specify the GID in your bootup script by echoing the GID to # the proper /proc entry. View the help on the sysctl option for # more information. # kernel/grsecurity/audit_gid=2007 # ____________ # Exec logging # # All execve() calls will be logged (since the # other exec*() calls are frontends to execve(), all execution # will be logged). Useful for shell-servers that like to keep track # of their users. # # WARNING: This option when enabled will produce a LOT of logs, especiall y # on an active system. # kernel/grsecurity/exec_logging=0 # _______________________ # Log execs within chroot # # All executions inside a chroot jail will be logged # to syslog. # kernel/grsecurity/chroot_execlog=1 # _____________ # Chdir logging # # All chdir() calls will be logged. # kernel/grsecurity/audit_chdir=0 # _________________ # (Un)Mount logging # # All mounts and unmounts will be logged. # kernel/grsecurity/audit_mount=1 # ___________ # IPC logging # # creation and removal of message queues, semaphores, # and shared memory will be logged. # kernel/grsecurity/audit_ipc=1 # ______________ # Ptrace logging # # All successful ptraces will be logged. Ptraces are # special operations performed when programs like strace or gdb are run. # They have also been the focus of some kernel vulnerabilities. # ###kernel/grsecurity/audit_ptrace=1 # ______________ # Signal logging # # Certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # kernel/grsecurity/signal_logging=0 # ____________________ # Fork failure logging # # All failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. # kernel/grsecurity/forkfail_logging=1 # ____________________________ # Set*id logging for all users # # All set*id() calls will be logged. Such information # could be useful when detecting a possible intrusion attempt. This # option can produce a lot of logs on an active system. # # kernel/grsecurity/suid_logging=0 # ___________________ # Time change logging # # Any changes of the system clock will be logged. # kernel/grsecurity/timechange_logging=0 ########################## # Executable Protections # ########################## # _____________________ # Exec process limiting # # Users with a resource limit on processes will # have the value checked during execve() calls. The current system # only checks the system limit during fork() calls. # kernel/grsecurity/execve_limiting=1 # ___________________________ # Dmesg(8) restriction # # Non-root users will not be able to use dmesg(8) # to view up to the last 4kb of messages in the kernel's log buffer. # kernel/grsecurity/dmesg=1 # _______________ # Randomized PIDs # # All PIDs created on the system will be # pseudo-randomly generated. This is extremely effective along # with the /proc restrictions to disallow an attacker from guessing # pids of daemons, etc. PIDs are also used in some cases as part # of a naming system for temporary files, so this option would keep # those filenames from being predicted as well. We also use code # to make sure that PID numbers aren't reused too soon. # kernel/grsecurity/rand_pids=1 # _____________________________ # Limit uid/gid changes to root # # You will be able choose from three option that # will allow you to restrict access to the root account by console # type. These options should only be enabled if you are sure of what # you're doing. Also note that they only apply to processes that have # ttys, which generally involves some kind of user-interaction. The # options are basically in place to keep users on a system who have a # (stolen) password for root from using it unless their console # credentials match. # # # * Deny physical consoles (tty) # # Access to root from physical consoles will be # denied. This is only recommended for rare cases where you will # never need to be physically at the machine. # # kernel/grsecurity/deny_phys_root=0 # # * Deny serial consoles (ttyS) # # Access to root from serial consoles will be # denied. Most people can say Y here, since most don't use serial # devices for their console access. If you are unsure, say N. # kernel/grsecurity/deny_serial_root=1 # # * Deny pseudo consoles (pty) # # Access to root from pseudo consoles will be # denied. Pseudo consoles include consoles from telnet, ssh, or a ny other # kind of interactive shell initiated from the network. Pseudo c onsoles # also include any terminals you use in XFree86. If you will onl y be # accessing the machine for root access from the physical console , you # can say Y here. Only say Y here if you're sure of what you're doing. # kernel/grsecurity/deny_pseudo_root=0 # ____________________ # Fork-bomb protection # # You will be able to configure a group to add to users # on your system that you want to be unable to fork-bomb the system. # You will be able to specify a maximum process limit for the user and # set a rate limit for all forks under their uid. (Fork-bombing is a # tactic used by attackers that can be enacted in two ways, (1) loading # up thousands of processes until the system can't take any more (this # method can be stopped outside of the kernel with PAM, however we place # protection for it in the kernel to be more complete and reduce overhead ), # and (2), by forking processes at a rapid rate, and then killing them # off, which cannot be protected against in the same way at tactic 1) # The rate limit is specified in forks allowed per second. Set this # limit low enough to stop tactic 2, but high enough to allow for # normal operation. The protection will kill the offending process. # # kernel/grsecurity/fork_bomb_prot=1 # # * GID for restricted users # # Here you can choose the GID to enable fork-bomb protection for. # Remember to add the users you want protection enabled for to th e GID # specified here. If the sysctl option is enabled, whatever you choose # here won't matter. You'll have to specify the GID in your bootu p # script by echoing the GID to the proper /proc entry. View the help # on the sysctl option for more information. # # kernel/grsecurity/fork_bomb_gid=2001 # # * Forks allowed per second # # Here you can specify the maximum number of forks allowed per se cond. # You don't want to set this value too low, or else you'll hinder # normal operation of your system. The default value should be f ine for # most users. # # kernel/grsecurity/fork_bomb_sec=40 # # * Maximum processes allowed # # Here you can configure the maximum number of processes users in the # fork-bomb protected group can run. I would not recommend setting a # value lower than 8, since some programs like man(1) spawn up to 8 # processes to run. The default value should be fine for most purposes. # # kernel/grsecurity/fork_bomb_max=20 # ______________________ # Trusted path execution # # You will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." # These users will not be able to execute any files that are not in # root-owned directories writeable only by root. # kernel/grsecurity/tpe=1 # # * Glibc protection # # All non-root users will not be able to execute # any files while glibc specific environment variables such as # LD_PRELOAD are set, which could be used to evade the trusted pa th # execution protection. It also protects against evasion through # /lib/ld-2.* It is recommended you say Y here also. # ###kernel/grsecurity/tpe_glibc=1 # # * Partially restrict non-root users # # All other non-root users will only be allowed to # execute files in directories they own that are not group or # world-writeable, or in directories owned by root and writeable only by # root. # kernel/grsecurity/tpe_restrict_all=1 # # - GID for untrusted users: # # Here you can choose the GID to enable trusted path prot ection for. # Remember to add the users you want protection enabled f or to the GID # specified here. If the sysctl option is enabled, whate ver you choose # here won't matter. You'll have to specify the GID in yo ur bootup # script by echoing the GID to the proper /proc entry. V iew the help # on the sysctl option for more information. # kernel/grsecurity/tpe_gid=2002 # _________________ # Restricted ptrace # # No one but root will be able to ptrace processes. # Tracing syscalls inside the kernel will also be disabled. All allowed # ptraces will be logged when this option is enabled. # # kernel/grsecurity/restrict_ptrace=1 # # * Allow ptrace for group # # You will be able to choose a GID of whose users # will be able to ptrace. # # kernel/grsecurity/allow_ptrace_group=1 # # - GID for ptrace # # Here you can choose the GID of whose users will be able to ptrace. # Remember to add the users you want ptrace enabled for t o the GID # specified here. If the sysctl option is enabled, whate ver you choose # here won't matter. You'll have to specify the GID in yo ur bootup # script by echoing the GID to the proper /proc entry. V iew the help # on the sysctl option for more information. # # kernel/grsecurity/ptrace_gid=2003 ####################### # Network Protections # ####################### # _________________ # Randomized IP IDs # # All the id field on all outgoing packets # will be randomized. This hinders os fingerprinters and # keeps your machine from being used as a bounce for an untraceable # portscan. Ids are used for fragmented packets, fragments belonging # to the same packet have the same id. By default linux only # increments the id value on each packet sent to an individual host. # We use a port of the OpenBSD random ip id code to achieve the # randomness, while keeping the possibility of id duplicates to # near none. # kernel/grsecurity/rand_ip_ids=1 # ___________________________ # Randomized TCP source ports # # Situations where a source port is generated on the # fly for the TCP protocol (ie. with connect() ) will be altered so that # the source port is generated at random, instead of a simple incrementin g # algorithm. # kernel/grsecurity/rand_tcp_src_ports=1 # ___________________________ # Randomized RPC XIDs # # The method of determining XIDs for RPC requests will # be randomized, instead of using linux's default behavior of simply # incrementing the XID. # kernel/grsecurity/rand_rpc=1 # ________________ # Altered Ping IDs # # The way Linux handles echo replies will be changed # so that the reply uses an ID equal to the ID of the echo request. # This will help in confusing OS detection. # kernel/grsecurity/altered_pings=1 # ______________ # Randomized TTL # # Your TTL (time to live) for packets will be set at # random, with a base level you specify, to further confuse OS detection. # # kernel/grsecurity/rand_ttl=1 # # * TTL starting point: # # Here you can choose a base TTL for the randomization. The defa ult value # for this setting is the Linux default TTL. Most users will wan t to # leave this setting as-is. The higher you set the base level (n ote that # you can't set it above 255) the more hops your packets will liv e. # If the sysctl option is enabled, whatever you choose here won't matter. # You'll have to specify the threshold in your bootup script by e choing # the threshold to the proper /proc entry. View the help on the sysctl # option for more information. # #kernel/grsecurity/rand_ttl_thresh=64 # ___________________________ # Enhanced network randomness # # The functions controlling the randomness # of the Linux IP stack will be enhanced to decrease the chances # of being able to predict certain packets that require some # amount of randomness. # ### kernel/grsecurity/rand_net=1 # ___________________ # Socket restrictions # # You will be able to choose from several options. # If you assign a GID on your system and add it to the supplementary # groups of users you want to restrict socket access to, this patch # will perform up to three things, based on the option(s) you choose. # # * Deny any sockets to group # # You will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run se rver # applications from your machine. # kernel/grsecurity/socket_all=1 # # - GID to deny all sockets for: # # Here you can choose the GID to disable socket access fo r. Remember to # add the users you want socket access disabled for to th e GID # specified here. If the sysctl option is enabled, whate ver you choose # here won't matter. You'll have to specify the GID in yo ur bootup # script by echoing the GID to the proper /proc entry. V iew the help # on the sysctl option for more information. # kernel/grsecurity/socket_all_gid=2004 # # * Deny client sockets to group # # You will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be # able to run servers. If this option is enabled, all users in t he group # you specify will have to use passive mode when initiating ftp t ransfers # from the shell on your machine. # kernel/grsecurity/socket_client=1 # # - GID to deny client sockets for: # # Here you can choose the GID to disable client socket ac cess for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enable d, whatever you # choose here won't matter. You'll have to specify the GI D in your bootup # script by echoing the GID to the proper /proc entry. V iew the help # on the sysctl option for more information. # kernel/grsecurity/socket_client_gid=2005 # # * Deny server sockets to group # # You will be able to choose a GID of whose users will # be unable to run server applications from your machine. # kernel/grsecurity/socket_server=1 # # - GID to deny server sockets for: # # Here you can choose the GID to disable server socket ac cess for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enable d, whatever you # choose here won't matter. You'll have to specify the GI D in your bootup # script by echoing the GID to the proper /proc entry. V iew the help # on the sysctl option for more information. # kernel/grsecurity/socket_server_gid=2006 # __________________ # Stealth networking # # You will enable several enhancements that will # improve your system's protection against portscans. # Enabling these options and filtering all open ports should make # your machine very hard to detect, while not interfering with (most) # normal operation. All the stealth options break RFC, so there's always the # possibility that it might affect how certain network applications react # to your system. # # * Do not send RSTs on unserved TCP # # Your machine will not send RSTs (connection resets) # on unserved TCP ports. This will slow down portscanners a grea t deal, # since it has the same effect as dropping all packets to unserve d TCP # ports. It will also force clients connecting to a non-open por t to # time out instead of immediately stating "connection refused." # # kernel/grsecurity/stealth_rst=0 # # * Do not reply to UDP with ICMP unreachables # # Your machine will not reply with ICMP unreachable # packets (type 3) on UDP ports not waiting for data. This hinde rs # portscanners from scanning your UDP ports. Enabling the UDP st ealth # options is known to slow down SSH connection times, and may als o # interfere with other protocols as well. Packets travelling acr oss the # local loopback interface will not be tampered with. # # kernel/grsecurity/stealth_udp=0 # # * Do not process ICMP packets # # Your machine will drop all ICMP packets but # echo-reply (Which allows you to ping from your machine, while n ot # allowing your machine to be pinged). Since ICMP packets can be spoofed # and are commonly used in Denial of Service attacks, it is recom mended # that you say Y here. Theoretically, it is possible that this o ption # could hinder your ability to connect to certain hosts since it also # blocks "packet too large" icmp messages, though in reality this # occurance is rare. Packets travelling across the local loopbac k # interface will not be tampered with. # # kernel/grsecurity/stealth_icmp=0 # # * Do not reply to IGMP requests # # Your machine will drop all IGMP packets. IGMP # stands for Internet Group Management Protocol. Most users shou ld # enable this option, unless you are actually connected to a mult icast # network, which IGMP is used for. # # kernel/grsecurity/stealth_igmp=1 # # * Drop packets with illegitimate flags # # Your machine will drop packets with TCP flags that # are never used in normal communication. Such packets are used in # "stealth" scans, and should not be allowed. It is recommended that # you say Y here. # # kernel/grsecurity/stealth_flags=0 ################### # Network Logging # ################### # __________________________________ # Log requests to unserved TCP ports # # Your machine will log requests to unserved TCP ports. # ### kernel/grsecurity/stealth_rst_log=0 # __________________________________ # Log requests to unserved UDP ports # # Your machine will log packets to UDP ports on your # system that are not waiting for data. Packets travelling across the # local loopback interface will not be logged. # ### kernel/grsecurity/stealth_udp_log=0 # ________________ # Log ICMP packets # # Your machine will log all ICMP packets but # echo-reply. Packets travelling across the local loopback interface # will not be logged. # ### kernel/grsecurity/stealth_icmp_log=0 # ___________________________________ # Log packets with illegitimate flags # # Your machine will log packets with TCP flags that # are never used in normal communication. Such packets are used in # "stealth" scans, and should not be allowed. # ### kernel/grsecurity/stealth_flags_log=0 ############################## # Miscellaneous Enhancements # ############################## # ___________________ # BSD-style coredumps # # Linux will use a style similar to BSD for # coredumps, core.processname. Not a security feature, just # a useful one. # # kernel/grsecurity/coredump=1 ################## # Sysctl support # ################## # ______________ # Sysctl support # # You will be able to change the options that # grsecurity runs with at bootup, without having to recompile your # kernel. You can echo values to files in /proc/sys/kernel/grsecurity # to enable (1) or disable (0) various features. All the sysctl entries # are mutable until the "grsec_lock" entry is set to a non-zero value. # All features are disabled by default. Please note that this option coul d # reduce the effectiveness of the added security of this patch if an ACL # system is not put in place. Your init scripts should be read-only, and # root should not have access to adding modules or performing raw i/o # operations. All options should be set at startup, and the grsec_lock # entry should be set to a non-zero value after all the options are set. # *THIS IS EXTREMELY IMPORTANT* # kernel/grsecurity/grsec_lock=0 _________________________________________________________________ Anterior Subir Siguiente 3. Divisiones del núcleo de metadistros Inicio 5. Propuestas de BlueSock