Disable TCP timestamps on Linux

Disable TCP timestamps on Linux

Disable TCP timestamps on Linux

timestamp timestamp timestamp

 

It is possible to estimate the current uptime of a Linux machine remotely. It's preferable to disable TCP timestamps on your systems. The less information attackers can get, the better of you are.

Sysctl

To dynamically disable TCPtime stamping,run the following command:

root@thunderchicken:~# echo 0 > /proc/sys/net/ipv4/tcp_timestamps

To make that change permenant though, you need to add the following line to /etc/sysctl.conf:

net.ipv4.tcp_timestamps = 0

To be on the safe side, add the following 2 lines to your firewall script:

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP

NOTE: Disabling timestamps will negatively impact performance of TCP transfers over high BDP
links if the underlying system uses that information to adjust the receive window or transmit buffer.
For typical LAN applications, timestamp removal should have no impact. For WAN data transfer speeds
using network infrastructure where packet reordering or loss is possible (load balanced lines, wireless,
routing hardware with multiple concurrent transaction paths, etc), TCP timestamps, along with the other
RFC 1323 options and a current congestion control algorhythm, should be used or performance will suffer.
TCP PAWS is also disabled if timestamps is disabled, which will negatively impact performance.Additionally,
the underlying OS should randomize the source timer at the beginning of the TCP session, rendering
the security concern moot. You will need to check your specific OS and patch level to verify that this is
functioning properly.Don'tdisable timestamps unless you understand the performance impact to the
applications involved.

 orig. post by: Rob Luce
Introducing a Tool to manage your Syslog data flood 

 

 

 

This second exmaple shows additional iptables setup

IPTables
Using the sysctl facility
To dynamically disable TCP time stamping,run the following command:
root@thunderchicken:~# echo 0 > /proc/sys/net/ipv4/tcp_timestamps
To make that change permanent though, you need to add the following line to /etc/sysctl.conf:
net.ipv4.tcp_timestamps = 0

using a host-based firewall -- iptables
To be on the safe side, add the following basic IPTables configuration to your system:
Orig source: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-ip-tables-on-ubuntu-12-04
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p udp --dport 514 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 1984 -j ACCEPT
iptables -A INPUT -p icmp –icmp-type 13 -j DROP
iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -L

apt-get install iptables-persistent
answer “yes” to used current configuration, “yes” you want to use IPv6 as well.

NOTE: You need to add all services on your system, this is just a basic template.


 

Date

05 June 2016

Tags

PCI DSS Compliance

Infinity

Picture of the Day

Photography Articles

You have always a choice!

TML Technologies wants you to give Open Source a chance.

Try the many tools available today and safe money.

Features

netwars

Ralf's Biography

11227027 469662006556702 4286901489162897682 n

Contact Ralf Wiegand

20161014145358 IMG 0151

Visitors

UNITED STATES 37.1%UNITED STATES
GERMANY 5.8%GERMANY
INDIA 5.7%INDIA
UNITED KINGDOM 3.7%UNITED KINGDOM
BRAZIL 3.6%BRAZIL
CANADA 3%CANADA
CHINA 3%CHINA
FRANCE 3%FRANCE
RUSSIAN FEDERATION 2.4%RUSSIAN FEDERATION
JAPAN 2.2%JAPAN

Today: 2
Yesterday: 27
This Week: 129
Last Week: 222
This Month: 518
Last Month: 769
Total: 60393