Once upon a time the argument was simple, RISC architecture was simply ahead of the game, by a long way, but guess what, x86 grew up, caught up, and overtook. These days, the performance you get out of multi-core x86 is significantly more than it’s RISC based equivalent. I realise that point could be considered contentious by the purists out there, but for mainstream computing in a world that is ever more cost concious, I struggle see how any argument for RISC can win over x86.

Once you have your x86 base, you can go with an x86 version of Solaris (not that you would) or thanks to Sun not playing silly games, you can actually use something useful, such as Redhat, Suse, Ubuntu or if you so desire, Novell.This additional flexibility is core to getting the base of your platform right. Large scale architectures need solid foundations to remain stable, perform and scale as desired.

Lets consider it for a moment. Sparc vs x86 & Solaris vs Linux, well to be honest, there is barley anything in the comparison except cost. Sun make x86 hardware based on multi-core AMD processors which are blisteringly fast and being manufactured by Sun, they are rock solid.

Now. If I were that retailer, I know where I would be looking to spend my money, but thats not what I am there to talk to them about, so I’ll keep it for my blog and not overstep my scope.

Like

Unlike

                          

Related posts

• Snort Rocks! (2)
• Linux Defence Tweaks (0)
• Free Security for All! (0)

Lets start with the TCP/IP stack. There are a number of quick easy wins here that can help defend against attacks through making the default behaviours of the stack more in-line with what we would like:

echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/lo/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "0" > /proc/sys/net/ipv4/conf/lo/log_martians
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "15" > /proc/sys/net/ipv4/ipfrag_time
echo "2048" > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "2" > /proc/sys/net/ipv4/tcp_synack_retries

Now, that little lot above needs some caveats. Firstly, use at your own risk! Secondly, As per usual, you often get a small performance hit when you start getting more secure, so test each tweak fully before you go into production. Once your happy with the ones you like, add then to your /etc/rc.local or other start up file of your choice.

The next step is to use iptables to help deal with dodgy looking traffic.

Step 1, set-up a bunch of new chains:

$IPTABLES -N CHECK_FLAGS
$IPTABLES -N ALLOW_ICMP
$IPTABLES -N SRC_EGRESS
$IPTABLES -N DST_EGRESS

Step 2, now lets get those chains to do something useful:

$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit
        --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "NMAP-XMAS:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit
        --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/RST:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
        --limit 5/minute -j LOG --log-level $LOG_LEVEL --log-prefix "SYN/FIN:"
$IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type destination-unreachable
        -j ACCEPT
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
 
        for SRCNET in $EGRESS_NETS; do
                $IPTABLES -A SRC_EGRESS -s $SRCNET -j DROP
        done
 
        for DSTNET in $EGRESS_NETS; do
                $IPTABLES -A DST_EGRESS -d $DSTNET -j DROP
        done

Step 3, Apply the prior two steps to your input, forward and output chains as needed:

$IPTABLES -A $CHAIN -i $EXT_INT -j SRC_EGRESS
$IPTABLES -A $CHAIN -i $EXT_INT -j DST_EGRESS
$IPTABLES -A $CHAIN -i $EXT_INT -p icmp -j ALLOW_ICMP
$IPTABLES -A $CHAIN -i $EXT_INT -p tcp -j CHECK_FLAGS

Variables. In all of the above, variables are used to save typing!, here are some of the important variables, the rest are fairly self explanatory:

EGRESS_NETS="
        172.16.0.0/12
        224.0.0.0/4
        240.0.0.0/5
        14.0.0.0/8
        169.254.0.0/16
        172.16.0.0/12
        192.0.2.0/24
        192.88.99.0/24
        192.18.0.0/15
        0.0.0.0/8
        "

What we have just done is setup some new chains, apply some filters that can identify dodgy looking traffic and do something useful with it (limit it rather than drop it, as we don’t want to arouse suspicion with our attackers). Then apply all that nice Packet Mangling to each of our primary chains.

I provide all of this advice for free, with no guarantees, any use of the above code should be with full testing prior to its use in a production environment. Enjoy!

Like

Unlike

                          

Related posts

• Snort Rocks! (2)
• Free Security for All! (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)