Date: Thu, 1 May 2014 15:27:35 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44730 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201405011527.s41FRZdh008566@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Thu May 1 15:27:34 2014 New Revision: 44730 URL: http://svnweb.freebsd.org/changeset/doc/44730 Log: Editorial review of System Tuning for Security. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu May 1 14:34:54 2014 (r44729) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu May 1 15:27:34 2014 (r44730) @@ -568,32 +568,36 @@ cat changed <sect2 xml:id="security-tuning"> <title>System Tuning for Security</title> - <para>Many of the systems features may be tuned through the use - of &man.sysctl.8;. This is also true for a few security - features which could be used to prevent denial of service - (<acronym>DOS</acronym>) style attacks. Some of the more - important will be covered here. Any time a setting is changed - with &man.sysctl.8;, the chance to cause undesired harm is - increased affecting the availability of the system. - Considering the <acronym>CIA</acronym> of the system should be - done during any system-wide configuration change.</para> + <para>In &os;, many system features can be tuned using + <command>sysctl</command>. A few of the security + features which can be tuned to prevent Denial of Service + (<acronym>DoS</acronym>) attacks + will be covered in this section. More information about using + <command>sysctl</command>, including how to temporarily change + values and how to make the changes permanent after testing, + can be found in <xref + linkend="configtuning-sysctl"/>.</para> - <para>The following is a list of &man.sysctl.8;'s and a short - description of what effects the changes will have on the - system.</para> + <note> + <para>Any time a setting is changed + with <command>sysctl</command>, the chance to cause undesired harm is + increased, affecting the availability of the system. All changes + should be monitored and, if possible, tried on a testing + system before being used on a production system.</para> + </note> <para>By default, the &os; kernel boots with a security level of - -1. This is called <quote>insecure mode</quote> because + <literal>-1</literal>. This is called <quote>insecure mode</quote> because immutable file flags may be turned off and all devices may be - read from or written to. The security level will remain at -1 - unless it is altered, either by the administrator or by - &man.init.8;, because of a setting in the startup scripts. - The security level may be raised during system startup by + read from or written to. The security level will remain at <literal>-1</literal> + unless it is altered through <command>sysctl</command> or by + a setting in the startup scripts. + The security level may be increased during system startup by setting <varname>kern_securelevel_enable</varname> to <literal>YES</literal> in <filename>/etc/rc.conf</filename>, and the value of <varname>kern_securelevel</varname> to the desired security level. See &man.security.7; and &man.init.8; - for more information on these settings.</para> + for more information on these settings and the available security levels.</para> <warning> <para>Increasing the <varname>securelevel</varname> can break @@ -601,45 +605,46 @@ cat changed prepared to do some debugging.</para> </warning> - <para>Next &man.sysctl.8;s to change is the - net.inet.tcp.blackhole and net.inet.udp.blackhole. When these - are set, incoming <acronym>SYN</acronym> packets on closed - ports will be dropped with no return <acronym>RST</acronym> - response. The normal behavior is to return an - <acronym>RST</acronym> to show a port is closed. These will - provide some level of protection against - <quote>stealth</quote> scans against a system. Set the - net.inet.tcp.blackhole to <quote>2</quote> and the - net.inet.udp.blackhole to <quote>1</quote> and review the - information in &man.blackhole.4; for more information.</para> - - <para>Additionally the net.inet.icmp.drop_redirect and - net.inet.ip.redirect should be set as well. These two - &man.sysctl.8;s will help prevent against what are called - redirect attacks. Redirect attacks are the purposeful mass - issuing of <acronym>ICMP</acronym> type 5 packets which should - not be required in a normal network. As such, set - net.inet.icmp.drop_redirect to <quote>1</quote> and set - net.inet.ip.redirect to <quote>0</quote>.</para> + <para>The <varname>net.inet.tcp.blackhole</varname> and + <varname>net.inet.udp.blackhole</varname> settings can be used + to drop incoming <acronym>SYN</acronym> packets on closed + ports without sending a return <acronym>RST</acronym> + response. The default behavior is to return an + <acronym>RST</acronym> to show a port is closed. Changing the default + provides some level of protection against + ports scans, which are used to determine + which applications are running on a system. Set + <varname>net.inet.tcp.blackhole</varname> to <literal>2</literal> and + <varname>net.inet.udp.blackhole</varname> to <literal>1</literal>. + Refer to &man.blackhole.4; for more information about these settings.</para> + + <para>The <varname>net.inet.icmp.drop_redirect</varname> and + <varname>net.inet.ip.redirect</varname> settings + help prevent against + <firstterm>redirect attacks</firstterm>. A redirect attack is a type of <acronym>DoS</acronym> which sends mass + numbers of <acronym>ICMP</acronym> type 5 packets. Since these packets + are not required, set + <varname>net.inet.icmp.drop_redirect</varname> to <literal>1</literal> and set + <varname>net.inet.ip.redirect</varname> to <literal>0</literal>.</para> - <para>Source routing is method of detecting and accessing + <para>Source routing is a method for detecting and accessing non-routable addresses on the internal network. This should - probably be disabled as non-routable addresses are normally + be disabled as non-routable addresses are normally not routable on purpose. To disable this feature, set - net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute - to <quote>0</quote>.</para> + <varname>net.inet.ip.sourceroute</varname> and + <varname>net.inet.ip.accept_sourceroute</varname> + to <literal>0</literal>.</para> + + <para>When a machine on the network needs to + send messages to all hosts on a subnet, an + <acronym>ICMP</acronym> echo request message is sent + to the broadcast address. However, there is no reason for an external + host to perform such an action. To reject + all external broadcast requests, set + <varname>net.inet.icmp.bmcastecho </varname>to <literal>0</literal>.</para> - <para>Drop all <acronym>ICMP</acronym> echo requests to the - broadcast address. When machine on the network need to - send messages to all hosts on a subnet, the message is sent - to the broadcast address. There is no reason an external - host should need to perform such an action so set - net.inet.icmp.bmcastecho to <quote>0</quote> to reject - all external broadcast requests.</para> - - <para>Some additional &man.sysctl.8;s are documented in - &man.security.7; and it is recommended it be consulted for - additional information.</para> + <para>Some additional settings are documented in + &man.security.7;.</para> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201405011527.s41FRZdh008566>