Harden Debian by Configuring Hard-end Network
Today's computer machines are now equipped with multiple network interface. Hence, when these interfaces are connected to the same network, they are always allocated into individual IP-bind and work independently instead. That also means a machine (host) can be identified with multiple IP addresses across a network. This is not feasible. This section guides you on how to harden Debian by configuring the multiple network interfaces into a single bonded interface.
Identified Threats
These are the identified threats related to Debian Software.
(T-50) ICMP (Ping) Replies to Broadcast Request Is Not Ignored
By default, Debian does not ignore ICMP requests for broadcast addresses (ranged .255 types).
(T-51) ICMP (Ping) Replies to Unicast Request Is Not Audited
By default, Debian allows ICMP requests for unicast addresses (direct ping).
(T-52) Bogus ICMP Errors Are Not Ignored
By default, Debian does not ignore bogus ICMP reponses.
(T-53) ICMP Redirects Are Always Accepted By Default
By default, Debian accepts ICMP redirects.
(T-54) ICMP Redirects Are Always Sent By Default
By default, Debian send ICMP redirects.
(T-55) IP Packets Are Always Forwarded By Default
By default, Debian forwards IP packets.
(T-56) Martian Packets are Not Logged
By default, Martian Packet (usually caused by bad routing) are not logged.
(T-57) Strong-end Host Is Not Enforced
For machine with multiple network interfaces, the network topology must be reviewed for strong-end host model configurations.
(T-58) Firewall is Not Configured
By default, Debian does not setup firewall software and its policy.
(T-59) Machine is suspciable to ARP-Based Attacks
By default, Debian is configured to operate using ARP packet to identify local area peers.
Actions Required
Here are the list if actions to counter the issues.
Harden Network via Kernel Parameters
The first thing to do is to harden the network by creating /etc/sysctl.d/harden-networking.conf.
Among the recommended settings are:
# Ignore ICMP broadcastsnet.ipv4.icmp_echo_ignore_broadcasts = 1# Ignore bogus ICMP errorsnet.ipv4.icmp_ignore_bogus_error_responses = 1# Do not accept ICMP redirects (prevent MITM attacks)net.ipv4.conf.all.accept_redirects = 0net.ipv6.conf.all.accept_redirects = 0# Do not send ICMP redirects (we are not a router)net.ipv4.conf.all.send_redirects = 0# Do not forward IP packets (we are not a router)net.ipv4.conf.all.forwarding = 0net.ipv6.conf.all.forwarding = 0# Log Martian Packetsnet.ipv4.conf.all.log_martians = 1Depending on necessity, after the configurations are created, one can either:
- perform "
$ sysctl -p" as root to reset the kernel settings. - restart the system (recommended).
Deploy ifenslave Bonding Driver For Multi-interfaces Network
Review the role of the machine (gateway, bridge, router, load-balancing) for possible strong-end host requirement. If yes, configure the network topology accordingly using ifenslave (Deploying Strong-End Host Network).
Review Then Deploy ARP Static Cache
One must review necessity for implementing static ARP for this machine.
Then, he/she must review the local area network topology and identify important machines with its mac address and check the possibility of assigning static/reserve IP to those important machines. The outcome is to obtain a list of <MAC> <IP> binding.
Then add the MAC-IP relationship into /etc/ethers (create one if not exists) as follows:
<MAC> <IP>XX:XX:XX:XX:XX:XX 192.168.XXX.XXXXX:XX:XX:XX:XX:XX 192.168.XXX.XXX... Once completed, he/she can do "$ arp -f" to pick up local ARP cache.
Additionally, one can ensures applications or services uses some kind of secured authentication to differentiate MitM attackers from pro-bono correspondents.
That's all for hardening Debian by configuring hard-end network