Linux Kernel /etc/sysctl.conf Security Hardening   February 18th, 2010

How do I set advanced security options of the TCP/IP stack and virtual memory to improve security and performance of my system? How do I configure Linux kernel to prevent certain kinds of attacks using /etc/sysctl.conf? How do I set Linux kernel parameters?

sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:

  1. Limit network-transmitted configuration for IPv4
  2. Limit network-transmitted configuration for IPv6
  3. Turn on execshield protection
  4. Prevent against the common ‘syn flood attack’
  5. Turn on source IP address verification
  6. Prevents a cracker from using a spoofing attack against the IP address of the server.
  7. Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.

sysctl command

The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:
# sysctl -a
# sysctl -A
# sysctl mib
# sysctl net.ipv4.conf.all.rp_filter
To load settings, enter:
# sysctl -p

Sample /etc/sysctl.conf

Edit /etc/sysctl.conf and update it as follows. The file is documented with comments. However, I recommend reading the official Linux kernel sysctl tuning help file (see below):

# The following is suitable for dedicated web server, mail, ftp server etc. Read the rest of this entry »

Tags: , ,
Posted in linux, Networking | No Comments »

FreeBSD Squid Proxy Caching Server Increase File Descriptors Limits   February 18th, 2010

I’m getting an error which read as follows under FreeBSD 7.2 server and Squid stable caching server:

WARNING! Your cache is running out of filedescriptors

How do I fix this problem and increase the number of system-wide available filedescriptors for FreeBSD server?

For busy proxy caching server, you need to to increase the number of system-wide available filedescriptors, by editing /etc/sysctl.conf file. There is no need to make changes to squid.conf.

Find Current Squid File Descriptors Limits Under FreeBSD

Type the following command:
# squidclient mgr:info | grep 'file descri'
OR
# squidclient -p 8080 -u USERNAME -w 'secretePassword' mgr:info | grep 'file descri'

Increase Squid File Descriptors Limits

Type the following command at a shell prompt:
# sysctl kern.maxfilesperproc=8192
# sysctl kern.maxfiles=65535
To keep settings after reboot add them to /etc/sysctl.conf
echo 'kern.maxfilesperproc=8192' >> /etc/sysctl.conf
echo 'kern.maxfiles=65535' /etc/sysctl.conf
Where,

  1. kern.maxfilesperproc – Set maximum number of open files to 65535
  2. kern.maxfiles – Set maximum files allowed open per process to 8192

Optionally you may also want to increase port ranges:
# sysctl net.inet.ip.portrange.last=65535
# sysctl net.inet.ip.portrange.first=1024

Finally restart the squid and verify you got new FD settings for squid proxy server:
# squidclient mgr:info | grep 'file descri'

source here

Tags: , ,
Posted in feebsd, Networking | 1 Comment »

How to NAT on freebsd for LAN network/SOHO   February 17th, 2010

Network Address Translation (NAT, also known as Network Masquerading, Native Address Translation or IP Masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address (see gateway). Many network administrators find NAT a convenient technique and use it widely. Nonetheless, NAT can introduce complications in communication between hosts and may have a performance impact.
As FreeBSD mania, i would like to share my experience build up a NAT gateway.
this is the topology.

LAN NETWORK ———> freebsd NAT ROUTER/GATEWAY ———-> INTERNET

I would like to use NAT in this case. The gateway has two NIC, one for the upstream and one for the downstream. I use realtek interface card to be the upstream interface. I give it IP address 202.14.xxx.xxx. And the other interface i give IP address 192.168.1.1.
Then I use packet filter ( PF ) to run NAT function.
This is the configuration to load pf in booting system.

use kldload pf to enable module in kernal by default its loaded

use pfctl -e command to enable pf firewall

edit your /etc/rc.conf
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
gateway_enable="YES"

then edit the /etc/pf.conf
nat on rl0 from 192.168.1.0/24 to any -> (rl0)

after that, try the PC client the allocation IP address.
And,

if problem add this line to /etc/sysctl.conf

sysctl net.inet.ip.forwarding=1

Its done.

Happy Nating!

Tags: , , , ,
Posted in feebsd, Networking | No Comments »

how to squidGuard + squid on freeBSD   February 15th, 2010

Download Berkeley Db from oracle website

cd /usr/local

wget http://download.oracle.com/berkeley-db/db-4.8.26.tar.gz

#tar -zxvf db-4.8.26.tar.gz

#cd db-4.8.26/build-unix

run this command

#../dist/configure –prefix=/usr/local/db/

after that

#make && make install

this will install it in /usr/local/db

go and verify new directories there e.g bin and include etc

if yes then

#cd /usr/local

wget http://www.squidguard.org/Downloads/squidGuard-1.4.tar.gz

unzip it using

# tar -zxvf squidGuard-1.4.tar.gz

# cd squidGuard-1.4

# ./configure –prefix=/usr/local/squidGuard –with-db=/usr/local/db/ –with-sg-config=/usr/local/squidGuard/squidGuard.conf

#make && make install

% cd /usr/local/squidGuard
% vi squidGuard.conf

Copy and paste this for a minimal configuration

#####################################################################

logdir /usr/local/squidGuard/log
dbhome /usr/local/squidGuard/db 

dest bar_adult {
        domainlist bar_adult/domains
        urllist    bar_adult/urls
} 

acl {
        default {
                pass !bar_adult all
                redirect http://127.0.0.1/blocked.php?url=%u
                # if webserver is running on the same system
                # and u have already made a blocked.php file and placed it in webserver root directory
                # if not make a block.html page add what ever u want and make it.
                #redirect http://yourwebserverip/block.html
        }
}

##################################################################################

% cd /usr/local/squidGuard
% mkdir db
% mkdir log
% touch log/squidGuard.log
% cd db
% mkdir bar_adult
% cd bar_adult

now we create the files themselves. Create a file called domains and

fill it with domains – one per line – in the following type format:

Code:

adult_content.com
naughty.com

now create a file called urls and fill it with urls – one per line in the following format:

Code:

foo.com/~adult
bar.com/img/sexy

edit you squid.conf where ever is it

add a line

redirect_program /usr/local/squidGuard/bin/squidGuard

after that

/usr/local/squid/sbin/squid -k reconfigure

/usr/local/squid/sbin/squid -k parse

/usr/local/squid/sbin/squid NCd1

if all is ok reload your squid.

It will work.

Posted in Uncategorized | No Comments »

how to compile kernel for transparent squid and pf & install latest squid on freebsd 8   February 12th, 2010

First we will compile kernal

proxy # cd / usr/src/sys/i386/conf /

backup your kernel configuration file used to it:

Proxy # cp GENERIC GENERIC-BAK

edit GENERIC file with your favorite editor

Proxy#nano GENERIC

and add these below options

its is optional for telling your kernal about cpu

cpu I686_CPU

#For optimizing squid #

options SYSVMSG
options MSGMNB=32768
options MSGMNI=164
options MSGSEG=8196
options MSGSSZ=512
options MSGTQL=2048

Add these lines below device

# For PF #

device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In / Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build

after that

Proxy # config GENERIC
proxy # cd .. / .. / compile / GENERIC

or some times if you have installed standard installation then

proxy # cd .. / compile / GENERIC
proxy # make & & make depend
proxy # make & & make install

Install Squid

we need perl

proxy# cd /usr/ports/lang/perl5.10/
proxy# make install clean

Create group and user that will be used to run the squid:

proxy# pw group add squid -g 100
proxy# pw user add squid -u 100 -g squid -s /usr/sbin/nologin -d /usr/local/squid
proxy# chown -Rv squid:squid /cache
proxy# cd /usr/local/
proxy# fetch http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE23.tar.bz2
proxy# tar -zxvf squid-3.0.STABLE23.tar.bz2
proxy# cd squid-3.0.STABLE23

proxy# ./configure -prefix=/usr/local/squid \
–enable-gnuregex \
–enable-async-io=24 –with-pthreads –with-aio –with-dl –with-aufs-threads=24 –with-pthreads \
-enable-pf-transparent \
–enable-ipfw-transparent \
-enable-storeio=aufs \
-enable-removal-policies=heap \
-enable-delay-pools \
-enable-underscores \
–enable-http-violations \
–enable-unlinkd \
-enable-snmp \
-enable-useragent-log \
-enable-htcp \
-enable-ssl \
-enable-icmp \
–enable-poll \
-enable-arp-acl \
-enable-cache-digests \
-enable-kill-parent-hack \
-enable-large-cache-files \
-enable-follow-x-forwarded-for \
-enable-default-err-languages=English \
-enable-err-languages=English \
-disable-ident-lookups \
-disable-hostname-checks \
-disable-wccpv2 \
-disable-wccp && “Successful Done”

proxy# make && make install

After that edit the squid.conf is in accordance with the needs

proxy# ee /usr/local/squid/etc/squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 192.168.10.0/27
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080 transparent
hierarchy_stoplist cgi-bin ?

cache_mem 6 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap LFUDA

cache_replacement_policy heap GDSF
cache_dir aufs /cache 10000 24 256
maximum_object_size 128 MB
cache_swap_low 90
cache_swap_high 95

access_log /var/log/squid/logs/access.log
cache_log /var/log/squid/logs/cache.log

coredump_dir /cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_mgr webmaster@domainku.com-(0752-xxxxxx)
cachemgr_passwd squid-cache password
cache_effective_user squid
cache_effective_group squid

proxy# squid -z
2009/05/10 16:38:37| Creating Swap Directories

first lets check the configuration with the command:

proxy # / usr / local / squid / sbin / squid-k parse
proxy # / usr / local / squid / sbin / squid-NCd1

once considered sufficient, a squid path:

proxy # / usr / local / squid / sbin / squid

and to run the config change, can be a command

proxy # / usr / local / squid / sbin / squid-k reconfigure

let me restart the streets every time the input parameters to the / etc / rc.conf

squid_enable = “YES”
pf_enable = “YES”

or enter the command /usr/local/squid/sbin/squid to /etc/rc.local

then add in / etc/ rc.local

chgrp squid /dev/pf & & chmod g+rw /dev/ pf

Tags: , , , , , , , , , ,
Posted in feebsd, Networking | No Comments »
« Older Entries
Newer Entries »