The basic rule when configuring the kernel is to remove everything that you do
not need. This will not only create a small kernel but also remove the
vulnerabilities that may lie inside drivers and other features.
Also consider turning off loadable module support. Even though it is possible to
add root kits without this features, it does make it harder for normal attackers
to install root kits via kernel modules.
The proc filesystem
Many kernel parameters can be altered through the /proc file system
or by using sysctl.
To dynamically change kernel parameters and variables on the fly, you need
CONFIG_SYSCTL defined in your kernel. This is on by default in
a standard 2.4 kernel.
Code Listing 1.1: Deactivate IP forwarding
# /bin/echo "0" > /proc/sys/net/ipv4/ip_forward
Make sure that IP forwarding is turned off. We only want this for a
multi-homed host. It's advised to set or unset this flag before all other flags
since it enabled/disables other flags as well.
Code Listing 1.1: Drop ping packets
# /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
This will cause the kernel to simply ignore all ping messages (also known as
ICMP type 0 messages). The reason for this is that an IP packet carrying an ICMP
message can contain a payload with information other than you think.
Administrators use ping as a diagnostic tool and often complain if it is
disabled, but there is no reason for an outsider to be able to ping. However,
since it sometimes can be handy for insiders to be able to ping, you can disable
ICMP type 0 messages in the firewall (allowing local administrators to continue
to use this tool).
Code Listing 1.1: Ignore broadcast pings
# /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
This disables response to ICMP broadcasts and will prevent Smurf attacks. The
Smurf attack works by sending an ICMP type 0 (ping) message to the broadcast
address of a network. Typically the attacker will use a spoofed source
address. All the computers on the network will respond to the ping message and
thereby flood the host at the spoofed source address.
Code Listing 1.1: Disable source routed packets
# /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
Do not accept source routed packets. Attackers can use source routing to
generate traffic pretending to originate from inside your network, but that is
actually routed back along the path from which it came, so attackers can
compromise your network. Source routing is rarely used for legitimate purposes,
so it is safe to disable it.
Code Listing 1.1: Disable redirect acceptance
# /bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
Do not accept ICMP redirect packets. ICMP redirects can be used to alter your
routing tables, possibly to a malicious end.
Code Listing 1.1: Protect against bad error messages
# /bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
Enable protection against bogus error message responses.
Code Listing 1.1: Enable reverse path filtering
# for i in /proc/sys/net/ipv4/conf/*; do
/bin/echo "1" > $i/rp_filter
Turn on reverse path filtering. This helps make sure that packets use legitimate
source addresses by automatically rejecting incoming packets if the routing
table entry for their source address does not match the network interface they
are arriving on. This has security advantages because it prevents IP spoofing.
We need to enable it for each net/ipv4/conf/* otherwise source
validation isn't fully functional.
However turning on reverse path filtering can be a problem if you use asymmetric
routing (packets from you to a host take a different path than packets from that
host to you) or if you operate a non-routing host which has several IP addresses
on different interfaces.
Code Listing 1.1: Log all spoofed, source routed and redirect packets
# /bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
Log spoofed packets, source routed packets and redirect packets.
All these settings will be reset when the machine is rebooted. I suggest that
you add them to /etc/sysctl.conf, which is automatically sourced by
the /etc/init.d/bootmisc init script.
The syntax for /etc/sysctl.conf is pretty straightforward. Strip
off the /proc/sys/ from the previously mentioned paths and
substitute / with .:
Code Listing 1.1: Translating to sysctl.conf
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
net.ipv4.ip_forward = 0
The patch from Grsecurity is standard
in the sys-kernel/hardened-sources but is disabled by default. Configure
your kernel as you normally do and then configure the Grsecurity options. An
in-depth explanation on the available Grsecurity options is available on the
Gentoo Hardened project page.
Recent hardened-sources provide the 2.* version of Grsecurity. For more
information on this improved Grsecurity patch set, please consult the
documentation available on the Grsecurity home page.
Kerneli is a patch that adds encryption
to the existing kernel. By patching your kernel you will get new options such as
cryptographic ciphers, digest algorithms and cryptographic loop filters.
The kerneli patch is currently not in a stable version for the latest kernel, so
be careful when using it.
Other kernel patches
And there are probably a lot more.