///
Search
💎

Network security check

# INSTALLATION # # # cp <script> /etc/init.d/nddconfig # # chmod 744 /etc/init.d/nddconfig # # chown root:sys /etc/init.d/nddconfig # # ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig # PATH=/usr/bin:/usr/sbin # # A note about parameter values: # '0' == false/off/disable # '1' == true/on/enable # # # verbose # # This option enables verbose output generated by this script. # verbose=1 # # arp_cleanup_interval # # This option determines the period of time the Address Resolution # Protocol (ARP) cache maintains entries. ARP attacks may be effective # with the default interval. Shortening the timeout interval should # reduce the effectiveness of such an attack. # The default value is 300000 milliseconds (5 minutes). # arp_cleanup_interval=60000 # # ip_forward_directed_broadcasts # # This option determines whether to forward broadcast packets directed # to a specific net or subnet, if that net or subnet is directly # connected to the machine. If the system is acting as a router, this # option can be exploited to generate a great deal of broadcast network # traffic. Turning this option off will help prevent broadcast traffic # attacks. # The default value is 1 (true). # ip_forward_directed_broadcasts=0 # # ip_forward_src_routed # ip6_forward_src_routed (Solaris 8) # # This option determines whether to forward packets that are source # routed. These packets define the path the packet should take instead # of allowing network routers to define the path. # The default value is 1 (true). # ip_forward_src_routed=0 ip6_forward_src_routed=0 # # ip_ignore_redirect # ip6_ignore_redirect (Solaris 8) # # This option determines whether to ignore Internet Control Message # Protocol (ICMP) packets that define new routes. If the system is # acting as a router, an attacker may send redirect messages to alter # routing tables as part of sophisticated attack (man in the middle # attack) or a simple denial of service. # The default value is 0 (false). # ip_ignore_redirect=1 ip6_ignore_redirect=1 # # ip_ire_flush_interval (Solaris 2.5.1, 2.6, and 7) # ip_ire_arp_interval (Solaris 8) # # This option determines the period of time at which a specific route # will be kept, even if currently in use. ARP attacks may be effective # with the default interval. Shortening the time interval may reduce # the effectiveness of attacks. # The default interval is 1200000 milliseconds (20 minutes). # ip_ire_flush_interval=60000 ip_ire_arp_interval=60000 # # ip_respond_to_address_mask_broadcast # # This options determines whether to respond to ICMP netmask requests # which are typically sent by diskless clients when booting. An # attacker may use the netmask information for determining network # topology or the broadcast address for the subnet. # The default value is 0 (false). # ip_respond_to_address_mask_broadcast=0 # # ip_respond_to_echo_broadcast # ip6_respond_to_echo_multicast (Solaris 8) # # This option determines whether to respond to ICMP broadcast echo # requests (ping). An attacker may try to create a denial of service # attack on subnets by sending many broadcast echo requests to which all # systems will respond. This also provides information on systems that # are available on the network. # The default value is 1 (true). # ip_respond_to_echo_broadcast=0 ip6_respond_to_echo_multicast=0 # # ip_respond_to_timestamp # # This option determines whether to respond to ICMP timestamp requests # which some systems use to discover the time on a remote system. An # attacker may use the time information to schedule an attack at a # period of time when the system may run a cron job (or other time- # based event) or otherwise be busy. It may also be possible predict # ID or sequence numbers that are based on the time of day for spoofing # services. # The default value is 1 (true). # ip_respond_to_timestamp=0 # # ip_respond_to_timestamp_broadcast # # This option determines whether to respond to ICMP broadcast timestamp # requests which are used to discover the time on all systems in the # broadcast range. This option is dangerous for the same reasons as # responding to a single timestamp request. Additionally, an attacker # may try to create a denial of service attack by generating many # broadcast timestamp requests. # The default value is 1 (true). # ip_respond_to_timestamp_broadcast=0 # # ip_send_redirects # ip6_send_redirects (Solaris 8) # # This option determines whether to send ICMP redirect messages which # can introduce changes into remote system's routing table. It should # only be used on systems that act as routers. # The default value is 1 (true). # ip_send_redirects=0 ip6_send_redirects=0 # # ip_strict_dst_multihoming # ip6_strict_dst_multihoming (Solaris 8) # # This option determines whether to enable strict destination # multihoming. If this is set to 1 and ip_forwarding is set to 0, then # a packet sent to an interface from which it did not arrive will be # dropped. This setting prevents an attacker from passing packets across # a machine with multiple interfaces that is not acting a router. # The default value is 0 (false). # ip_strict_dst_multihoming=1 ip6_strict_dst_multihoming=1 # # tcp_conn_req_max_q0 # # This option sets the size of the queue containing unestablished # connections. This queue is part of a protection mechanism against # SYN flood attacks. The queue size default is adequate for most # systems but should be increased for busy servers. # The default value is 1024. # tcp_conn_req_max_q0=4096 # # tcp_conn_req_max_q # # This option sets the maximum number fully established connections. # Increasing the size of this queue provides some limited protection # against resource consumption attacks. The queue size default is # adequate for most systems but should be increased for busy servers. # The default value is 128. # tcp_conn_req_max_q=1024 # # tcp_rev_src_routes (Solaris 8) # # This option determines whether the specified route in a source # routed packet will be used in returned packets. TCP source routed # packets may be used in spoofing attacks, so the reverse route should # not be used. # The default value is 0 (false). # tcp_rev_src_routes=0 # # Adding specific privileged ports (Solaris 2.6, 7, and 8) # # These options define additional TCP and UDP privileged ports outside # of the 1-1023 range. Any program that attempts to bind the ports # listed here must run as root. This prevents normal users from # starting server processes on specific ports. Multiple ports can be # specifed by quoting and separating them with spaces. # # Defaults values: # tcp_extra_priv_ports: 2049 (nfsd) 4045 (lockd) # udp_extra_priv_ports: 2049 (nfsd) 4045 (lockd) # tcp_extra_priv_ports_add="6112" udp_extra_priv_ports_add="" # # Ephemeral port range adjustment (Solaris 2.5.1, 2.6, 7, and 8) # # These options define the upper and lower bounds on ephemeral ports. # Ephemeral (means short-lived) ports are used when establishing # outbound network connections. # # Defaults values: # tcp_smallest_anon_port=32768 # tcp_largest_anon_port=65535 # udp_smallest_anon_port=32768 # udp_largest_anon_port=65535 # tcp_smallest_anon_port=32768 tcp_largest_anon_port=65535 udp_smallest_anon_port=32768 udp_largest_anon_port=65535 # # Nonprivileged port range adjustment (Solaris 2.5.1, 2.6, 7, and 8) # # These options define the start of nonprivileged TCP and UDP ports. # The nonprivileged port range normally starts at 1024. Any program # that attempts to bind a nonprivileged port does not have to run as # root. # # Defaults values: # tcp_smallest_nonpriv_port=1024 # udp_smallest_nonpriv_port=1024 # tcp_smallest_nonpriv_port=1024 udp_smallest_nonpriv_port=1024 # +-----------------------------------------+ # | No modification needed below this line. | # +-----------------------------------------+ # # base parameters (the same across the 2.5.1, 2.6, 7, 8, and 9 (alpha) # releases) # base_parameters="arp_cleanup_interval ip_forward_directed_broadcasts ip_forward_src_routed ip_ignore_redirect ip_respond_to_address_mask_broadcast ip_respond_to_echo_broadcast ip_respond_to_timestamp ip_respond_to_timestamp_broadcast ip_send_redirects ip_strict_dst_multihoming tcp_conn_req_max_q0 tcp_conn_req_max_q tcp_smallest_anon_port tcp_largest_anon_port udp_smallest_anon_port udp_largest_anon_port tcp_smallest_nonpriv_port udp_smallest_nonpriv_port" # # OS_revision specific parameters # # Solaris 2.5.1 specific parameters SunOS5_5_1="ip_ire_flush_interval" # Solaris 2.6 specific parameters SunOS5_6="ip_ire_flush_interval tcp_extra_priv_ports_add udp_extra_priv_ports_add" # Solaris 7 specific parameters SunOS5_7="ip_ire_flush_interval tcp_extra_priv_ports_add udp_extra_priv_ports_add" # Solaris 8 specific parameters SunOS5_8="ip_ire_arp_interval tcp_extra_priv_ports_add udp_extra_priv_ports_add tcp_rev_src_routes" # Solaris 9 (alpha) specific parameters SunOS5_9="ip_ire_arp_interval tcp_extra_priv_ports_add udp_extra_priv_ports_add tcp_rev_src_routes" # # IPv6 parameters (apply to Solaris 8 and 9 (alpha)) # ip6_parameters="ip6_forward_src_routed ip6_respond_to_echo_multicast ip6_send_redirects ip6_ignore_redirect ip6_strict_dst_multihoming" # # system privilege ports defaults # extra_priv_ports_defaults="2049 4045 " # # get OS name and revision information # os=`uname -s` revision=`uname -r` OSRev=$os`echo $revision | sed -e 's/./_/g'` # # check if IPv6 is enabled # ip6_interfaces="`echo /etc/hostname6.*[0-9] 2> /dev/null`" [ "$ip6_interfaces" != "/etc/hostname6.*[0-9]" ] && ip6_enabled=true # # do_in_order -- This function executes the specified functions with # the appropriate parameters for the local OS, revision, and # configuration. Currently it acts on a specific base set of # parameters, OS and revision specific parameters, and IPv6 # parameters. # do_in_order() { # function_name function_name=$1 # handle the base parameters for param in $base_parameters; do $function_name $param done # handle the OS/revision specific parameters eval‍ OSRev_params=$$OSRev for param in $OSRev_params; do $function_name $param done # handle IPv6 parameters if [ "$ip6_enabled" = "true" ]; then for param in $ip6_parameters; do $function_name $param done fi } # # set_parameter -- This function uses ndd to set a parameter. # The supplied parameter name has a shell variable with the same # name which contains the value for the parameter. # set_parameter() { # parameter # definition for local variable param=$1 # determine the driver from the first substring in the parameter name driver=/dev/`echo $param | sed -e 's/_.*//'` eval‍ values=$$param # First check that a value for the parameter exists. If not, skip it. if [ -n "$values" ]; then # Some parameters may have multiple values specified in one # assignment further up in the script. ndd only accepts one # parameter at a time. Loop through and set each value. for value in $values; do [ "$verbose" = "1" ] && echo "Setting $driver $param to $value" ndd -set $driver $param $value done fi } # # display_parameter -- This function uses ndd to extract the value of # a parameter and display it. # display_parameter() { # parameter # definition for local variable param=$1 # hack for the "write only" extra privileged ports parameters param=`echo $param | sed -e 's/_add$//'` # determine the driver from the first substring in the parameter name driver=/dev/`echo $param | sed -e 's/_.*//'` # execute the ndd command to retrieve settings and remove newlines value=`ndd $driver $param | tr -d 'n'` # print parameter value echo " $driver $param = '$value'" } # # compare_parameter -- This function uses ndd to extract the value of # a parameter. It compares the current parameter value to the one # defined in this script. # compare_parameter() { # parameter # definition for local variable originalParam=$1 # hack for the "write only" extra privileged ports parameters modifiedParam=`echo $originalParam | sed -e 's/_add$//'` # determine the driver from the first substring in the parameter name driver=/dev/`echo $modifiedParam | sed -e 's/_.*//'` # execute the ndd command to retrieve settings and remove newlines currentValue=`ndd $driver $modifiedParam | tr -d 'n'` eval‍ intendedValue="$$originalParam" # if the modified parameter name is different from the original # parameter, then we are dealing with the privileged port parameters if [ "$modifiedParam" != "$originalParam" ]; then # the privileged port parameters have system defaults that must # be accounted for in the comparison if [ -n "$intendedValue" ]; then intendedValue="$extra_priv_ports_defaults$intendedValue " else intendedValue="$extra_priv_ports_defaults" fi fi # print parameter value and note all deviations echo " $driver $modifiedParam = '$currentValue'c" if [ "$intendedValue" != "$currentValue" ]; then echo " (should be '$intendedValue')" else echo " (ok)" fi } # Process the command argument case "$1" in 'start') # set the parameters in the defined order do_in_order set_parameter ;; 'show') echo "Current ndd parameter settings:" do_in_order display_parameter ;; 'compare') echo "Comparison of ndd parameter settings:" do_in_order compare_parameter ;; 'stop') # ignored [ "$verbose" = "1" ] && echo "$0: 'stop' ignored. No network changes applied." ;; *) echo "Usage: $0 { start | stop | show | compare }" exit 1 ;; esac exit 0
JavaScript
복사