APPENDIX B – Network Parameters
ip_send_redirects – causes the machine not to emit any ICMP redirect Packets. Under normal operation this probably won’t have significant security implications.
ip_ire_flush_interval and arp_cleanup_interval – control how long information will live in the system’s ARP cache. The ARP cache maintains a mapping between Ethernet addresses and IP address. The default values are 10 minutes (?????). Lowering these values can help prevent some ARP spoofing attacks but at the cost of more ARP traffic on your local LAN and possibly reduced performance. Think carefully before you change these variables.
ip_forward_directed_broadcast – caused the machine to not transmit packets which are destined for a broadcast network address. If the machine is being used as a gateway between several networks this can help you from being used as an intermediary network in a "smurf" type network attach. The machine will still respond to broadcast packets directed at any LAN it may be connected to.
ip_forward_src_routed – prevents the machine from forwading any packets that have the source routing option turned on.
ip_forwarding – turning off ip_forwarding prevents the machine from accepting and forwarding on packets that are not destined for one of it’s local interface addresses. Such a feature can be used by attackers to bypass other network security measures.
tcp_ip_abort_cinterval – this is how long the kernel will wait for a TCP connection to be completed (in milliseconds). Tuning this value down can also help your system resist SYN flooding attacks.
You can use the following commands to view various information concerning Network parameter.
ndd –h sup – display all the parameters that are supported by HP.
ndd –h unsup – display all the parameter that are not supported by HP. Becareful modifying these!
ndd –c - set tunable parameters
APPENDIX C – Example secure /etc/fstab
/dev/vg00/lvol3 / hfs defaults 0 1
/dev/vg00/lvol1 /stand hfs nosuid 0 1
/dev/vg00/lvol4 /tmp hfs defaults 0 2
/dev/vg00/lvol5 /home hfs nosuid 0 2
/dev/vg00/lvol6 /opt hfs ro 0 2
/dev/vg00/lvol7 /usr hfs ro 0 2
/dev/vg00/lvol8 /var hfs nosuid 0 2
APPENDIX D – Sample SSHD Startup Script
#!/sbin/sh
#
# start up secure shell deaemon - sshd
#
PATH=/usr/sbin:/usr/bin:/sbin
export PATH
rval=0
case $1 in
'start_msg')
echo "Starting the sshd"
;;
'stop_msg')
echo "Stopping the sshd"
;;
'start')
if [ -f /etc/rc.config.d/sshd_config ]
then
/opt/openssh2/sbin/sshd -f /etc/rc.config.d/sshd_config
else
echo "ERROR: /etc/rc.config.d defaults file MISSING"
fi
;;
'stop')
kill `cat /opt/openssh2/etc/sshd.pid`
;;
*)
echo "usage: $0 {start|stop|start_msg|stop_msg}"
rval=1
;;
esac
exit $rval
Helping Other People Excel
No comments