334.1 Network Hardening (weight: 4)

Tech Tutorial: 334.1 Network Hardening (weight: 4) #

Introduction #

Network hardening is a critical task for enhancing the security of a computer network. This process involves taking proactive steps to secure the infrastructure by reducing the surface of vulnerability, which includes the enforcement of policies, the application of patches, and the management of network devices securely.

In this tutorial, we will delve into various Linux utilities and practices that contribute to network hardening. We will cover key knowledge areas and provide detailed examples using specific utilities to demonstrate how to secure a Linux network environment effectively.

Key Knowledge Areas: #

  • Secure network configuration
  • Host security
  • Firewall configuration and maintenance
  • TCP/IP stack hardening

Utilities: #

  • iptables
  • nftables
  • sysctl
  • tcpdump
  • netstat
  • ss
  • openssl

Step-by-Step Guide #

1. Firewall Configuration Using iptables and nftables #

Firewalls are the first line of defense in network security. They control incoming and outgoing network traffic based on predetermined security rules.

iptables #

iptables is a traditional tool for setting up, maintaining, and inspecting the tables of IP packet filter rules in the Linux kernel. Here is an example of how to drop all incoming traffic except SSH (port 22):

# Set default chain policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

# Allow SSH access
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow loopback access
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow established and related incoming connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

nftables #

nftables is a newer tool that replaces iptables. Here’s how you can achieve similar rules with nftables:

# Define a table for inet family
sudo nft add table inet filter

# Add chains to the table
sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
sudo nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }
sudo nft add chain inet filter output { type filter hook output priority 0 \; policy accept \; }

# Allow SSH
sudo nft add rule inet filter input tcp dport 22 accept

# Allow loopback
sudo nft add rule inet filter input iif lo accept

# Allow established and related connections
sudo nft add rule inet filter input ct state related,established accept

2. TCP/IP Stack Hardening #

The TCP/IP stack can be hardened using the sysctl tool to adjust kernel parameters related to network operations:

# Prevent SYN flood attacks
sudo sysctl -w net.ipv4.tcp_syncookies=1

# Ignore ICMP echo requests (disable ping)
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1

# Log suspicious packets (e.g., malformed headers, wrong addresses)
sudo sysctl -w net.ipv4.conf.all.log_martians=1

3. Monitoring and Auditing Network Traffic #

tcpdump #

tcpdump is a powerful command-line packet analyzer. Here’s how to capture packets on a specific interface:

# Capture packets on eth0
sudo tcpdump -i eth0

netstat and ss #

Both netstat and ss are used to display network connections, routing tables, and interface statistics.

# Display all active connections with netstat
netstat -tulpan

# Using ss to display sockets
ss -tulpan

4. Using OpenSSL for Testing #

openssl is a robust tool for SSL/TLS management. It can be used to test and debug SSL connections.

# Test SSL connection to a server
openssl s_client -connect example.com:443

Conclusion #

Network hardening is an essential aspect of maintaining the security integrity of a network. This tutorial covered various tools and commands that help in securing a Linux-based network. Regular updates, monitoring, and strict configurations as demonstrated should help in maintaining a robust security posture. Be sure to continuously update your knowledge and tools to protect against emerging threats in the network security landscape.