Pfsense disable tcp timestamps RFC1323
-
Hi,
After vulnerabilty scan on pfsense server 2.3.2-RELEASE (amd64), I need mitigate this vulnerabily:It was detected that the host implements RFC1323.
any idea?
Thank
Stefani -
And who/what says that should be off?
[2.3.2-RELEASE][root@pfsense.local.lan]/root: sysctl net.inet.tcp.rfc1323
net.inet.tcp.rfc1323: 1
[2.3.2-RELEASE][root@pfsense.local.lan]/root:You should be able to adjust that in the tunable section..
-
Hello,
Ossim - Vulnerability Scan detect host implements RFC1323 as vulnerability
Vulnerability Detection Result:
It was detected that the host implements RFC1323.
Insight:
The remote host implements TCP timestamps, as defined by RFC1323.
Summary:
The remote host implements TCP timestamps and therefore allows to compute
the uptime.Solution:
To disable TCP timestamps on linux add the line 'net.ipv4.tcp_timestamps = 0' to
/etc/sysctl.conf. Execute 'sysctl -p' to apply the settings at runtime. -
It is also very useful thing ;) The risk is pretty freaking low!! An attacker might be able to take a guess to how long the system has been up. So from that if you leave your systems up for years and years guess possible they could tell if you have applied say a patch..
So if you ask me that would be some attempt at security via obscurity which as we all know is not security..
I do believe in PCI compliance is considered a very low risk even. Been awhile since had to do anything of that nature..
Is this some work thing where you got scanned and boss is saying take care of these items? Or did you scan your self and following advice without understanding the specific risk and why they list is a issue in the first place?
I would highly suggest you do some research on the validity of turning stuff off settings like these for security reasons, it could have issues with your overall performance, etc. Quite often the security reasoning is really really flimsy..
edit: pfsense is not linux ;) You can make such settings in the
System / Advanced / System TunablesIf I am not mistaken without timestamps you dont have protection against sequence number wrapping.. My advice don't just do everything some scanner says is a security vulnerability
-
From a quick search, it looks like PF packet scrubbing randomizes the RFC1323 timestamp. I see this for sure with OpenBSD documentation, but I found a reference to a FreeBSD config option to disable scrubbing if you need RFC1323 not manipulated.
-
Also make sure you are actually scanning the firewall for that. Frequently when people find results that look abnormal they realize later they are hitting a port forward/nat reflection and they're getting a result from their internal server and NOT from pfSense itself.
Also many things you see referenced from the IP stack in sysctl only affect traffic that terminates at the firewall, not traffic that passes through.
-
the rfc1323 when disabled also disables large tcp windows, that would cause performance issues when pfsense is the end point e.g. when a VPN is configured. The timestamps so called security issue is nothing important to worry about.
-
the rfc1323 when disabled also disables large tcp windows, that would cause performance issues when pfsense is the end point e.g. when a VPN is configured. The timestamps so called security issue is nothing important to worry about.
I had to look this up. TCP window scaling requires timestamps to protect against certain corner cases. Like chrcoluk said, disabling timestamps will limit your TCP window to at most 64KiB.