Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reordering stuff to alphabetical order + SYN Cookies #359

Closed
wants to merge 4 commits into from
Closed

Reordering stuff to alphabetical order + SYN Cookies #359

wants to merge 4 commits into from

Conversation

joubbi
Copy link
Contributor

@joubbi joubbi commented Dec 26, 2020

Everything seems to be in random order, which makes it harder to read. I moved things around and might continue doing that if I feel like having the time doing that while I try to figure out what this role actually does.

SYN cookies is not enabled. I think it should.

CIS Benchmark:

3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
Profile Applicability:
 Level 1 - Server
 Level 1 - Workstation
Description:
When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the
half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN
cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the
SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that
encodes the source and destination IP address and port number and the time the packet
was sent. A legitimate connection would send the ACK packet of the three way handshake
with the specially crafted sequence number. This allows the system to verify that it has
received a valid response to a SYN cookie and allow the connection, even though there is no
corresponding SYN in the queue.
Rationale:
Attackers use SYN flood attacks to perform a denial of service attacked on a system by
sending many SYN packets without completing the three way handshake. This will quickly
use up slots in the kernel's half-open connection queue and prevent legitimate connections
from succeeding. SYN cookies allow the system to keep accepting valid connections, even if
under a denial of service attack.
Audit:
Run the following commands and verify output matches:
sysctl net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies = 1
grep "net.ipv4.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/*
net.ipv4.tcp_syncookies = 1

@joubbi
Reorder lists to alphabetical order.
ddc1c49 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
@joubbi
Sorted sysctl values alphabetically.
00bac8a 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
@joubbi
Added CIS Benchmark: 3.2.8 Ensure TCP SYN Cookies is enabled.
7d582fc 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
@joubbi
Clarified comment about idle timeout.
530c0f0 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
@rndmh3ro
Copy link
Member

I like that.

As for the syncookie change: Can you please do that in another PR to not mix these issues? Also you have to remove it here then: https://github.com/dev-sec/ansible-collection-hardening/blob/master/roles/os_hardening/vars/Amazon.yml#L44

This was referenced Jan 8, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement os_hardening patch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@joubbi @rndmh3ro