From owner-svn-doc-all@FreeBSD.ORG Thu May 1 15:27:35 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 752643A1; Thu, 1 May 2014 15:27:35 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 60F62181F; Thu, 1 May 2014 15:27:35 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s41FRZCt008567; Thu, 1 May 2014 15:27:35 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s41FRZdh008566; Thu, 1 May 2014 15:27:35 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201405011527.s41FRZdh008566@svn.freebsd.org> From: Dru Lavigne Date: Thu, 1 May 2014 15:27:35 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44730 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 May 2014 15:27:35 -0000 Author: dru Date: Thu May 1 15:27:34 2014 New Revision: 44730 URL: http://svnweb.freebsd.org/changeset/doc/44730 Log: Editorial review of System Tuning for Security. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu May 1 14:34:54 2014 (r44729) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu May 1 15:27:34 2014 (r44730) @@ -568,32 +568,36 @@ cat changed System Tuning for Security - Many of the systems features may be tuned through the use - of &man.sysctl.8;. This is also true for a few security - features which could be used to prevent denial of service - (DOS) style attacks. Some of the more - important will be covered here. Any time a setting is changed - with &man.sysctl.8;, the chance to cause undesired harm is - increased affecting the availability of the system. - Considering the CIA of the system should be - done during any system-wide configuration change. + In &os;, many system features can be tuned using + sysctl. A few of the security + features which can be tuned to prevent Denial of Service + (DoS) attacks + will be covered in this section. More information about using + sysctl, including how to temporarily change + values and how to make the changes permanent after testing, + can be found in . - The following is a list of &man.sysctl.8;'s and a short - description of what effects the changes will have on the - system. + + Any time a setting is changed + with sysctl, the chance to cause undesired harm is + increased, affecting the availability of the system. All changes + should be monitored and, if possible, tried on a testing + system before being used on a production system. + By default, the &os; kernel boots with a security level of - -1. This is called insecure mode because + -1. This is called insecure mode because immutable file flags may be turned off and all devices may be - read from or written to. The security level will remain at -1 - unless it is altered, either by the administrator or by - &man.init.8;, because of a setting in the startup scripts. - The security level may be raised during system startup by + read from or written to. The security level will remain at -1 + unless it is altered through sysctl or by + a setting in the startup scripts. + The security level may be increased during system startup by setting kern_securelevel_enable to YES in /etc/rc.conf, and the value of kern_securelevel to the desired security level. See &man.security.7; and &man.init.8; - for more information on these settings. + for more information on these settings and the available security levels. Increasing the securelevel can break @@ -601,45 +605,46 @@ cat changed prepared to do some debugging. - Next &man.sysctl.8;s to change is the - net.inet.tcp.blackhole and net.inet.udp.blackhole. When these - are set, incoming SYN packets on closed - ports will be dropped with no return RST - response. The normal behavior is to return an - RST to show a port is closed. These will - provide some level of protection against - stealth scans against a system. Set the - net.inet.tcp.blackhole to 2 and the - net.inet.udp.blackhole to 1 and review the - information in &man.blackhole.4; for more information. - - Additionally the net.inet.icmp.drop_redirect and - net.inet.ip.redirect should be set as well. These two - &man.sysctl.8;s will help prevent against what are called - redirect attacks. Redirect attacks are the purposeful mass - issuing of ICMP type 5 packets which should - not be required in a normal network. As such, set - net.inet.icmp.drop_redirect to 1 and set - net.inet.ip.redirect to 0. + The net.inet.tcp.blackhole and + net.inet.udp.blackhole settings can be used + to drop incoming SYN packets on closed + ports without sending a return RST + response. The default behavior is to return an + RST to show a port is closed. Changing the default + provides some level of protection against + ports scans, which are used to determine + which applications are running on a system. Set + net.inet.tcp.blackhole to 2 and + net.inet.udp.blackhole to 1. + Refer to &man.blackhole.4; for more information about these settings. + + The net.inet.icmp.drop_redirect and + net.inet.ip.redirect settings + help prevent against + redirect attacks. A redirect attack is a type of DoS which sends mass + numbers of ICMP type 5 packets. Since these packets + are not required, set + net.inet.icmp.drop_redirect to 1 and set + net.inet.ip.redirect to 0. - Source routing is method of detecting and accessing + Source routing is a method for detecting and accessing non-routable addresses on the internal network. This should - probably be disabled as non-routable addresses are normally + be disabled as non-routable addresses are normally not routable on purpose. To disable this feature, set - net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute - to 0. + net.inet.ip.sourceroute and + net.inet.ip.accept_sourceroute + to 0. + + When a machine on the network needs to + send messages to all hosts on a subnet, an + ICMP echo request message is sent + to the broadcast address. However, there is no reason for an external + host to perform such an action. To reject + all external broadcast requests, set + net.inet.icmp.bmcastecho to 0. - Drop all ICMP echo requests to the - broadcast address. When machine on the network need to - send messages to all hosts on a subnet, the message is sent - to the broadcast address. There is no reason an external - host should need to perform such an action so set - net.inet.icmp.bmcastecho to 0 to reject - all external broadcast requests. - - Some additional &man.sysctl.8;s are documented in - &man.security.7; and it is recommended it be consulted for - additional information. + Some additional settings are documented in + &man.security.7;.