Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 71)

A brief note on UDP: nmap can not accurately determine the status of these ports if they are "filtered". You

probably will get a false−positive "open" condition. This has to do with UDP being a connectionless protocol.

If nmap gets no answer (e.g. due to a "DROP"), it assumes the packets reached the target, and thus the port

will be reported as "open". This is "normal" for nmap.

We can play with firewall rules in a LAN set up to try to simulate how the outside world sees us, and if we

are smart, and know what we are doing, and don't have a brain fart, we probably will have a pretty good

picture. But it is still best to try to find a way to do it from outside if possible. Again, make sure you are not

violating any ISP rules of conduct. Do you have a friend on the same ISP?

8.8. Sysctl Options

The "sysctl" options are kernel parameters that can be configured via the /proc filesystem. These can be

dynamically adjusted at run−time. Typically these options are off if set to "0", and on if set to "1".

Some of these have security implications, and thus is why we are here ;−) We'll just list the ones we think are

relevant. Feel free to cut and paste these into a firewall script, or other file that is run during boot (like

/etc/rc.local). Red Hat provides the sysctl command for dynamically adjusting these values (see man

page). Or they can permanently be set in /etc/sysctl.conf with your text editor of choice. sysctl is

executed during init, and uses these values. You can read up on what these mean in

/usr/src/linux/Documentation/sysctl/README and other files in the kernel Documentation

directories.

The traditional method:

#!/bin/sh

# Configure kernel sysctl run−time options.

###################################################################

# Anti−spoofing blocks

for i in /proc/sys/net/ipv4/conf/*/rp_filter;

echo 1 > $i

done

# Ensure source routing is OFF

for i in /proc/sys/net/ipv4/conf/*/accept_source_route;

echo 0 > $i

done

# Ensure TCP SYN cookies protection is enabled

[ −e /proc/sys/net/ipv4/tcp_syncookies ] &&\

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Ensure ICMP redirects are disabled

for i in /proc/sys/net/ipv4/conf/*/accept_redirects;

echo 0 > $i

done

# Ensure oddball addresses are logged

Security Quick−Start HOWTO for Red Hat Linux

8.8. Sysctl Options 68

1 2 ... 66 67 68 69 70 71 72 73 74 75 76 ... 81 82

Nessun commento

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 71