Infinity

Disable TCP timestamps on Linux

Disable TCP timestamps on Linux

Disable TCP timestamps on Linux

timestamp timestamp timestamp

 

It is possible to estimate the current uptime of a Linux machine remotely. It's preferable to disable TCP timestamps on your systems. The less information attackers can get, the better of you are.

Sysctl

To dynamically disable TCPtime stamping,run the following command:

root@thunderchicken:~# echo 0 > /proc/sys/net/ipv4/tcp_timestamps

To make that change permenant though, you need to add the following line to /etc/sysctl.conf:

net.ipv4.tcp_timestamps = 0

To be on the safe side, add the following 2 lines to your firewall script:

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

NOTE: Disabling timestamps will negatively impact performance of TCP transfers over high BDP
links if the underlying system uses that information to adjust the receive window or transmit buffer.
For typical LAN applications, timestamp removal should have no impact. For WAN data transfer speeds
using network infrastructure where packet reordering or loss is possible (load balanced lines, wireless,
routing hardware with multiple concurrent transaction paths, etc), TCP timestamps, along with the other
RFC 1323 options and a current congestion control algorhythm, should be used or performance will suffer.
TCP PAWS is also disabled if timestamps is disabled, which will negatively impact performance.Additionally,
the underlying OS should randomize the source timer at the beginning of the TCP session, rendering
the security concern moot. You will need to check your specific OS and patch level to verify that this is
functioning properly.Don'tdisable timestamps unless you understand the performance impact to the
applications involved.

 orig. post by: Rob Luce
Introducing a Tool to manage your Syslog data flood 

 

 

 

This second exmaple shows additional iptables setup

IPTables
Using the sysctl facility
To dynamically disable TCP time stamping,run the following command:
root@thunderchicken:~# echo 0 > /proc/sys/net/ipv4/tcp_timestamps
To make that change permanent though, you need to add the following line to /etc/sysctl.conf:
net.ipv4.tcp_timestamps = 0

using a host-based firewall -- iptables
To be on the safe side, add the following basic IPTables configuration to your system:
Orig source: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-ip-tables-on-ubuntu-12-04
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p udp --dport 514 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 1984 -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 13 -j DROP
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -L

apt-get install iptables-persistent
answer “yes” to used current configuration, “yes” you want to use IPv6 as well.

NOTE: You need to add all services on your system, this is just a basic template.


 

Date

05 June 2016

Categories

PCI DSS Compliance

Search

Open a Support Ticket

Visitors

UNITED STATES 26.6%UNITED STATES
GERMANY 6.5%GERMANY
INDIA 6%INDIA
RUSSIAN FEDERATION 4.1%RUSSIAN FEDERATION
SINGAPORE 3.9%SINGAPORE
UNITED KINGDOM 3.1%UNITED KINGDOM
BRAZIL 3.1%BRAZIL
FRANCE 3.1%FRANCE
REPUBLIC OF KOREA 2.8%REPUBLIC OF KOREA
CHINA 2.8%CHINA

Today: 3
Yesterday: 6
This Week: 144
Last Week: 131
This Month: 530
Last Month: 795
Total: 57433