Sysctl.conf hardening

The purpose of syctl hardening is to help prevent spoofing and dos attacks. This short guide will show what I have found to be a good configuration for the sysctl.conf configuration file. The most important of the variables listed below is the enabling of syn cookie protection. Only place the bottom two if you do not want your server to respond to ICMP echo, commonly referred to as ICMP ping or just ping requests.

Open /etc/sysctl.conf for editing in your favorite text editor:

pico -w /etc/sysctl.conf

And simply copy/paste this into the file replacing any existing values:

#Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Disables packet forwarding
net.ipv4.ip_forward=0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0

# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Disables the magic-sysrq key
kernel.sysrq = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800

# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0

# Turn off the tcp_sack
net.ipv4.tcp_sack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1

# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024

# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

After you make the changes to the file you need to run

/sbin/sysctl -p 

and

sysctl -w net.ipv4.route.flush=1

to enable the changes without a reboot.

Notes
– Make sure that eth0 is your primary interface. If it is not replace eth0 with eth1 in the code below.
– Make sure you have backup of your original syctl.conf file before making any changes
– These settings might be old (outdated) or wrong for your system setup. Use them at your own risk!

Continue Reading

Tags: sysctl conf, accept_source_route, net ipv4 conf all rp_filter, sysctl hardening, net ipv4 conf default rp_filter, Sysctl confhardening|GeekTipsnTricks, sysctl conf hardening, sysctl conf hardened, sysctl net ipv4 route flush

Big file downloads stops at random

After migrating a site to new server I run into a strange problem with big file downloads that just stop/break without any specific reason at anytime. Downloads are not direct than are done using PHP (I’ll write more about that soon and I’ll link to that post from in here when I do) suddenly break without any notice. Browser reports that file has been successfully downloaded, Apache doesn’t report any errors but file is broken and not downloaded entirely.

I was pulling my hair for days, since sometimes downloads were working fine but sometimes they would just stop. Things got worse in case of downloading multiple files at the same time. Sometimes one or two downloads would break, sometimes all, sometimes none. It was driving me mad. Since I have been traveling those days across Northern Europe, I have been able to test the file download from multiple locations/countries and various connection types (ADSL, Cable, WiFi hot spots) and was still experienced same problems.

The setup on that server was bit complex and it used Apache to serve dynamic content, separate web server for static content. Downloads were done using PHP or using mod_xsendfile but either way problem persisted. So I figured out that something must be timing out and that is braking the connection. Since it would happen that out of 4-5 simultaneous downloads one or two would break and few would download normally. Finally, I tried increasing Apache timeout from 10 seconds to 30 seconds and it worked out! I was so pissed of and happy at the same time… The solution was so easy and in front of my nose but I needed so much time to figure it out… I felt so stupid for a second but then I solved the problem and I’ve learned something new…

It turns out that if there were no communication between server and client for 10 seconds the Apache would simply close connection and download would break. Nothing will be reported on both sides since it’s “normal” way to end the communication. This was also going on when mod_xsendfile was used to serve/download files. The problem was even greater when internet connection was worse (WiFi) and when I was downloading more files at once since than the connection would have to be split on few files.

So if you’re making a download server for larger files make sure you setup your Apache timeout to some reasonable value (30 seconds or more). Under term “larger files” I consider everything larger than pictures, but basically 50mb file could be called “larger file” since for it’s download it is required some time and of course open connection.

Tags: apache large file download timeout, downloads stop randomly

How to whitelist your IP at CPHulk

My IP got banned by CPHulk few times and it is really not a pleasant thing knowing that you need to access your server but you just can’t because CPHulk blacklisted your IP. Great way around it is to white list your IP address in front so you don’t end up in that situation. It’s quite easy, all you need to do is to login at SSH and execute this lines:

cd /scripts
./cphulkdwhitelist xxx.xxx.xxx.xxx

Just don’t forge to replace xxx.xxx.xxx.xxx with your IP address 🙂

Tags: cphulk

How to change proftp FTP password from SSH shell

Today I have got a request from a client that has a server with no control panel on it to change one ftp password. Server is using proftpd as it’s ftp server. This is really easy task to do if proftp is setup by default and uses /etc/passwd for storing it’s passwords.

If you know username all you need to do is type in

passwd USERNAME

(replace USERNAME with actual username), enter new password two times and you’re done.

If you however don’t know the username (and that can happen too) you can open /etc/passwd file and try and locate it in there.

Tags: proftpd change password, proftpd change user password, change proftpd password, proftpd password change, change ftp password proftpd, change password proftpd, proftpd default password

How to install CSF firewall

In order to protect your server the best way possible, beside running iptables you should install some additional software. I can recommend ConfigServer Security & Firewall. I’m using it on couple of servers right now and it’s prove it self to be stable and low on resource usage. It also has WHM/cPanel plugin that helps you managing your firewall even if you’re not very experienced user/admnin.

Before installing you must be sure that you do not have any other firewalls installed (such as APF)
Installation is really simple. You just need to run those couple of commands in SSH:

cd /usr/local/src
wget https://download.configserver.com/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Don’t forget to disable testing flag by setting TESTING = 0.
You can do that easily in WHM/cPanel: after logging in at WHM and in Plugins section of sidebar you’ll find “ConfigServer Security&Firewall”. Then click on Firewall Configuration and change testing value. Save it and restart firewall and there you go! Your CSF firewall is up and running!

csf firewall cpanel plugin

Continue Reading