Information security has increasingly become critically important at all levels, from small to medium-sized businesses, enterprises, universities and even home users. With modern like ransomware and other malicious software it is more crucial than ever to frequently back up your data. Therefore, it is as essential that the server that is responsible for facilitating backups in your environment is itself protected.
Disabling ICMP Redirects
Malicious users can use specially crafted ICMP request messages to launch Denial of Service attacks against the network. If ICMP redirects are not used in your network architecture to update route tables and the backup server is not also acting as a router or a gateway: then ICMP Redirect accept and send messages should be disabled on the backup server.
It is simple to disable ICMP redirection in Linux (and many other Unix-like operating systems) by means of the proc filesystem (procfs), and procfs itself is easiest to work with through an interface like sysctl.
Disabling ICMP Redirects Accept and Send at runtime for all interfaces is done with sysctl by issuing the following commands.
Disabling ICMP Redirects for IPv4 During Runtime:
Root@host# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects = 0
Root@host# /sbin/sysctl -w net.ipv4.conf.all.send_redirects = 0
Disabling ICMP Redirects for IPv6 During Runtime:
Root@host# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects = 0
Root@host# /sbin/sysctl -w net.ipv6.conf.all.send_redirects = 0
If you wished to specify an interface, e.g. eth0, then you would replace ‘all’ in the above examples with the name of the specific interface. I.e.:
Root@host# /sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects = 0
Disabling ICMP dynamically during runtime is a somewhat poor method because changes will not be persistent to a reboot. It is better to modify the /etc/sysctl.conf file for a permanent change if ICMP redirects accept and send is not required. Note: as mentioned above, any instance of ‘all’ can be replaced with the name of a specific network interface in the following examples.
Modifying sysctl.conf for RHEL-like and SLES-like operating systems:
# For IPv4
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# For IPv6
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.send_redirects = 0
Modifying sysctl.conf for Ubuntu and Debian-like operating systems:
# For IPv4
net/ipv4/conf/all/accept_redirects = 0
net/ipv4/conf/all/send_redirects = 0
# For IPv6
net/ipv6/conf/all/accept_redirects = 0
net/ipv6/conf/all/send_redirects = 0
It is possible to modify the sysctl.conf and update the settings during runtime without a reboot by means of “loading” the sysctl.conf file with the command:
Root@host# /sbin/sysctl -p
For additional documentation on procfs and/or sysctl please refer to their respective man pages on your system.
Some concerns you may have if using an older version of Amanda Enterprise include:
X.509 Server Certificates
Zmanda does not come packaged with an X.509 server certificate. If a user wishes to implement an X.509 certificate then it will need to be purchased or otherwise generated for use with the Apache HTTP Server.
httpd.conf
In some older versions of Zmanda you may find that the Set-Cookie HTTP response header is missing HttpOnly.
Add following entry in httpd.conf:
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Restart the ZMC using: /etc/init.d/zmc_aee restart
ssl.conf
In older versions of Zmanda you may want to increase the strength of ciphers that are used, and enforce their priority. Find the following line in ssl.conf and either comment it out or remove it:
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH
With the previous line commented out or removed, add the following two lines:
SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
For additional information regarding available ciphers, and to ensure that your configuration complies with your security policy: be sure to check the documentation from OpenSSL.org.
