svn commit: r44730 - head/en_US.ISO8859-1/books/handbook/security

Dru Lavigne dru at FreeBSD.org
Thu May 1 15:27:35 UTC 2014


Author: dru
Date: Thu May  1 15:27:34 2014
New Revision: 44730
URL: http://svnweb.freebsd.org/changeset/doc/44730

Log:
  Editorial review of System Tuning for Security.
  
  Sponsored by:	iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Thu May  1 14:34:54 2014	(r44729)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Thu May  1 15:27:34 2014	(r44730)
@@ -568,32 +568,36 @@ cat changed
     <sect2 xml:id="security-tuning">
       <title>System Tuning for Security</title>
 
-      <para>Many of the systems features may be tuned through the use
-	of &man.sysctl.8;.  This is also true for a few security
-	features which could be used to prevent denial of service
-	(<acronym>DOS</acronym>) style attacks.  Some of the more
-	important will be covered here.  Any time a setting is changed
-	with &man.sysctl.8;, the chance to cause undesired harm is
-	increased affecting the availability of the system.
-	Considering the <acronym>CIA</acronym> of the system should be
-	done during any system-wide configuration change.</para>
+      <para>In &os;, many system features can be tuned using
+	<command>sysctl</command>.  A few of the security
+	features which can be tuned to prevent Denial of Service
+	(<acronym>DoS</acronym>) attacks
+	will be covered in this section.  More information about using
+	<command>sysctl</command>, including how to temporarily change
+	values and how to make the changes permanent after testing,
+	can be found in <xref
+	  linkend="configtuning-sysctl"/>.</para>
 
-      <para>The following is a list of &man.sysctl.8;'s and a short
-	description of what effects the changes will have on the
-	system.</para>
+      <note>
+	<para>Any time a setting is changed
+	with <command>sysctl</command>, the chance to cause undesired harm is
+	increased, affecting the availability of the system.  All changes
+	should be monitored and, if possible, tried on a testing
+	system before being used on a production system.</para>
+      </note>
 
       <para>By default, the &os; kernel boots with a security level of
-	-1.  This is called <quote>insecure mode</quote> because
+	<literal>-1</literal>.  This is called <quote>insecure mode</quote> because
 	immutable file flags may be turned off and all devices may be
-	read from or written to.  The security level will remain at -1
-	unless it is altered, either by the administrator or by
-	&man.init.8;, because of a setting in the startup scripts.
-	The security level may be raised during system startup by
+	read from or written to.  The security level will remain at <literal>-1</literal>
+	unless it is altered through <command>sysctl</command> or by
+	a setting in the startup scripts.
+	The security level may be increased during system startup by
 	setting <varname>kern_securelevel_enable</varname> to
 	<literal>YES</literal> in <filename>/etc/rc.conf</filename>,
 	and the value of <varname>kern_securelevel</varname> to the
 	desired security level.  See &man.security.7; and &man.init.8;
-	for more information on these settings.</para>
+	for more information on these settings and the available security levels.</para>
 
       <warning>
 	<para>Increasing the <varname>securelevel</varname> can break
@@ -601,45 +605,46 @@ cat changed
 	  prepared to do some debugging.</para>
       </warning>
 
-      <para>Next &man.sysctl.8;s to change is the
-	net.inet.tcp.blackhole and net.inet.udp.blackhole.  When these
-	are set, incoming <acronym>SYN</acronym> packets on closed
-	ports will be dropped with no return <acronym>RST</acronym>
-	response.  The normal behavior is to return an
-	<acronym>RST</acronym> to show a port is closed.  These will
-	provide some level of protection against
-	<quote>stealth</quote> scans against a system.  Set the
-	net.inet.tcp.blackhole to <quote>2</quote> and the
-	net.inet.udp.blackhole to <quote>1</quote> and review the
-	information in &man.blackhole.4; for more information.</para>
-
-      <para>Additionally the net.inet.icmp.drop_redirect and
-	net.inet.ip.redirect should be set as well.  These two
-	&man.sysctl.8;s will help prevent against what are called
-	redirect attacks.  Redirect attacks are the purposeful mass
-	issuing of <acronym>ICMP</acronym> type 5 packets which should
-	not be required in a normal network.  As such, set
-	net.inet.icmp.drop_redirect to <quote>1</quote> and set
-	net.inet.ip.redirect to <quote>0</quote>.</para>
+      <para>The <varname>net.inet.tcp.blackhole</varname> and
+	<varname>net.inet.udp.blackhole</varname> settings can be used
+	to drop incoming <acronym>SYN</acronym> packets on closed
+	ports without sending a return <acronym>RST</acronym>
+	response.  The default behavior is to return an
+	<acronym>RST</acronym> to show a port is closed.  Changing the default
+	provides some level of protection against
+	ports scans, which are used to determine
+	which applications are running on a system.  Set
+	<varname>net.inet.tcp.blackhole</varname> to <literal>2</literal> and
+	<varname>net.inet.udp.blackhole</varname> to <literal>1</literal>.
+	Refer to &man.blackhole.4; for more information about these settings.</para>
+
+      <para>The <varname>net.inet.icmp.drop_redirect</varname> and
+	<varname>net.inet.ip.redirect</varname> settings
+	help prevent against
+	<firstterm>redirect attacks</firstterm>.  A redirect attack is a type of <acronym>DoS</acronym> which sends mass
+	numbers of <acronym>ICMP</acronym> type 5 packets.  Since these packets
+	are not required, set
+	<varname>net.inet.icmp.drop_redirect</varname> to <literal>1</literal> and set
+	<varname>net.inet.ip.redirect</varname> to <literal>0</literal>.</para>
 
-      <para>Source routing is method of detecting and accessing
+      <para>Source routing is a method for detecting and accessing
 	non-routable addresses on the internal network.  This should
-	probably be disabled as non-routable addresses are normally
+	be disabled as non-routable addresses are normally
 	not routable on purpose.  To disable this feature, set
-	net.inet.ip.sourceroute and net.inet.ip.accept_sourceroute
-	to <quote>0</quote>.</para>
+	<varname>net.inet.ip.sourceroute</varname> and
+	<varname>net.inet.ip.accept_sourceroute</varname>
+	to <literal>0</literal>.</para>
+
+      <para>When a machine on the network needs to
+	send messages to all hosts on a subnet, an
+	<acronym>ICMP</acronym> echo request message is sent
+	to the broadcast address.  However, there is no reason for an external
+	host to perform such an action. To reject
+	all external broadcast requests, set
+	<varname>net.inet.icmp.bmcastecho </varname>to <literal>0</literal>.</para>
 
-      <para>Drop all <acronym>ICMP</acronym> echo requests to the
-	broadcast address.  When machine on the network need to
-	send messages to all hosts on a subnet, the message is sent
-	to the broadcast address.  There is no reason an external
-	host should need to perform such an action so set
-	net.inet.icmp.bmcastecho to <quote>0</quote> to reject
-	all external broadcast requests.</para>
-
-      <para>Some additional &man.sysctl.8;s are documented in
-	&man.security.7; and it is recommended it be consulted for
-	additional information.</para>
+      <para>Some additional settings are documented in
+	&man.security.7;.</para>
     </sect2>
   </sect1>
 


More information about the svn-doc-all mailing list