THE PROC DIRECTORY - SECURITY MODIFICATIONS

Linux has a wonderful facility in the /proc directory. This directory allows the system administrator a real-time access window into the workings of the kernel. The files here are therefore referred to as a "Virtual File System", as the files are representations of different kernel configurations. You can view view some, to see exactly what is happening on your server. Or -as we will discuss- you can modify them, and thus modify the running kernel in real-time. We will be looking at some of the switches relating specifically to securing your system. Please bear in mind that these are general recommendations, and not all these settings may be benefical to you, so please test any changes throughly, and at your own risk.

• /proc/sys/net/ipv4/conf/*/rp_filter
  Setting this switch to 1 will enable reverse path filtering to help stop any IP spoofing attempts.
  


• /proc/sys/net/ipv4/conf/*/log_martians
  A "martian" is a packet which arrives at an interface, but the server has no route to the specified source address. Packets like this should not exist, so set this option to 1 and log them.
  


• /proc/sys/net/ipv4/tcp_syncookies
  Setting this switch to 1 will enable protection against SYN floods.
  


• /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  There is no reason to allow icmp broadcasts. The most common usage for them is to run DOS attacks. Set this switch to 1 to get your server to ignore them.
  


• /proc/sys/net/ipv4/conf/*/accept_source_route
  Source routing is bad, only attacker would want to explicitly state how there packet is routed. Disable this by setting this switch to 0.
  


• /proc/sys/net/ipv4/conf/*/accept_redirects
  There are very, very few legitimate situations where your host should actually be getting route redirects messages. Disable this by setting this switch to 0.
  


• /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  Sometimes some devices will send invalid responses to what they percieve as broadcasts. These responses are non-RFC compliant. Ignore these by setting this switch to 1.
  


• /proc/sys/net/ipv4/icmp_echo_ignore_all
  If you have no need for your server to respond to any icmp traffic, then enable this by setting this switch to 1.
  


• /proc/sys/net/ipv4/tcp_timestamps
  TCP timestamps can provide a source of information for attackers. On secure servers disable this by setting this switch to 0.
  


• /proc/sys/net/ipv4/conf/eth1/send_redirects
  This switch should only be enabled if you're a router advertising alternate routes to your network. In all other cases disable this by setting this switch to 0.
  


• /proc/sys/net/ipv4/conf/*/secure_redirects
  This switch should only be enabled if your server exists in a large, multi-router, dynamic routing network. For all cases disable this by setting this switch to 0.
  


• /proc/sys/net/ipv4/ip_forward
  This switch should only be enabled if you're got a server which needs to route packets between it's network interface cards. In all other cases disable this by setting this switch to 0.
  


• /proc/sys/net/ipv4/conf/*/proxy_arp
  This switch should only be enabled if you're got a server which needs to respond to arp packets. This switch will enable the server to respond to any arp packets destined for addresses which the kernel has routes to, useful for bridges. In all other cases disable this by setting this switch to 0.