[Tails-dev] Ethtool & sysctl.conf hardening per Cryptostorm

Delete this message

Reply to this message
Author: Dr. Killswitch, D.V.M.
Date:  
To: tails-dev
Subject: [Tails-dev] Ethtool & sysctl.conf hardening per Cryptostorm

Intrigeri asked for this in another thread, I think it's complex/important
enough to launch a new thread to cover it.

Around the beginning of 2015 some of the Cryptostorm people encountered a
serious piece of espionage-ware. What they were reporting sounded kinda
nuts, but then Kaspersky reported the same thing, and identified the tool
in use as "Duqu Bet", with bet being the second letter in the Hebrew
alphabet.

http://www.wired.com/2015/06/kaspersky-finds-new-nation-state-attack-network/

The RAT itself made use of the Xen hypervisor features in current Linux
kernels and it burrows in deep, so much so that hard drives with infected
firmware got hammered to bits and then discarded.

There are some network level hardening methods that were required to shut
down access. These include some tweaks with ethtool to shut down TCP
offloading to NICs. The initial attacks that install the tool depend on
the ability to slip 302 redirects into the target's normal http traffic.

Here are the parameters used for ethtool and the descriptions after came
from a system where I applied this.

ethtool -K eth0 rx off tx off sg off tso off ufo off gso off gro off lro off

rx-checksumming: off

tx-checksumming: off

scatter-gather: off

tcp-segmentation-offload: off

udp-fragmentation-offload: off

generic-segmentation-offload: off

generic-receive-offload: off

large-receive-offload: off


This is a recent version of sysctl.conf parameters that also work to
thwart midpoint interception/corruption.

# # # #
# cryptostorm client-side *nix sysctl.conf kernel parameters
# (with a heavy focus on network-centric hardening & refinement)
# version: cryptohaven01{very-early-beta}
# # #
# this is a work in progress, so if you see bugs or improvements...
# make a note at https://github.com/cryptostorm so we can make it better
# # #
# NOTE: some seriously unorthodox stuff in here, fair warning
# primary goal is protection against injected packet attack models
# see http://darkweb.science for additional details wrt CIN weapons-systems
# # #
# ps: Free Chelsea. Now.
# # # #

kernel.domainname = cryptohaven01
net.ipv4.ip_local_port_range = 2000     65000


# fuck ip6
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.lo.disable_ipv6=1

# syncookies are not useful nowadays and have privacy risks, so disable
net.ipv4.tcp_syncookies=0

# tighten up standards for when to dump or refuse to instantiate TCP sessions
net.ipv4.tcp_sack=0
net.ipv4.tcp_timestamps=1
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syn_retries=2
net.ipv4.tcp_window_scaling=0
net.ipv4.tcp_fin_timeout=15
net.ipv4.tcp_keepalive_time=42
net.ipv4.tcp_max_tw_buckets=777
net.ipv4.tcp_max_syn_backlog=666

# packet fragmentation constraints, pretty much super-paranoid settings
net.ipv4.ipfrag_high_thresh=4194
net.ipv4.ipfrag_low_thresh=3145
net.ipv4.ipfrag_max_dist=24
net.ipv4.ipfrag_secret_interval=99
net.ipv4.ipfrag_time=30

# tighten up kernel-defined auto-tuning TCP buffer limits
net.core.rmem_max=8388608
net.core.wmem_max=8388608
net.core.netdev_max_backlog=5000

# NIC bindings and other topopological hygeine
net.ipv4.ip_no_pmtu_disc=0
net.ipv4.ip_nonlocal_bind=0
net.ipv4.ip_forward=0
net.ipv4.ip_default_ttl=86
net.ipv4.ip_dynaddr=0
net.ipv4.ip_early_demux=1
net.ipv4.ip_forward_use_pmtu=0

# not routing redirected ICMP packets, in or out
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.lo.accept_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.lo.send_redirects=0

# Do not accept packets using 'source route' function to convince us
they're legit, 'cause prolly not
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.lo.accept_source_route=0

# spoof protection heuristic, viz. 'validation by reversed path' (as
specified in RFC1812)
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.lo.rp_filter=1

# esoteric metaparameters
kernel.sysrq=0
kernel.exec-shield=1
net.ipv4.fwmark_reflect=0
kernel.randomize_va_space=1
net.ipv4.igmp_max_memberships=13
net.ipv4.igmp_max_msf=10

# kernel packet logging mechanics
kernel.core_uses_pid=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.lo.log_martians=1

# not interested in replying to pings... pretty much ever
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_ratelimit=42
net.ipv4.icmp_ratemask=68
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_errors_use_inbound_ifaddr=1

# still fine-tuning these, tbh
net.ipv4.inet_peer_maxttl=300
net.ipv4.inet_peer_minttl=120
net.ipv4.inet_peer_threshold=6566
net.ipv4.conf.all.igmpv2_unsolicited_report_interval=10000
net.ipv4.conf.all.igmpv3_unsolicited_report_interval=1000
net.ipv4.conf.all.medium_id=0
net.ipv4.conf.all.promote_secondaries=0

# ARP-y paranoia on the LAN, guey
net.ipv4.conf.all.accept_local=0
net.ipv4.conf.all.route_localnet=0
net.ipv4.conf.all.src_valid_mark=0
net.ipv4.conf.all.arp_accept=0
net.ipv4.conf.all.arp_announce=0
net.ipv4.conf.all.arp_ignore=0
net.ipv4.conf.all.arp_notify=0
net.ipv4.conf.all.bootp_relay=0
net.ipv4.conf.all.disable_policy=0
net.ipv4.conf.all.disable_xfrm=1
net.ipv4.conf.all.mc_forwarding=0

# some kernel-hardening stuff, 27 May 2015 ~pj
net.ipv4.conf.all.proxy_arp_pvlan=0
net.ipv4.conf.default.proxy_arp_pvlan=0
net.ipv4.conf.all.proxy_arp=0
net.ipv4.conf.default.proxy_arp=0
net.ipv4.conf.all.arp_filter=1
net.ipv4.conf.default.arp_filter=1
net.ipv4.conf.all.shared_media=0
net.ipv4.conf.default.shared_media=0

# deprecated?
net.ipv4.conf.all.tcp_tw_reuse=0
net.ipv4.conf.default.tcp_tw_reuse=0
net.ipv4.all.tcp_tw_recycle=0
net.ipv4.default.tcp_tw_recycle=0


## flush routes & c-ya :-)
net.ipv4.route.flush=1