根据安全扫描的结果,有人建议我们阻止ICMP时间戳&使用防火墙的时间戳回复消息(CVE-1999-0524).我已经使用firewalld为SSH设置了一些基本的IP过滤以及允许HTTPS,但我对此感到困惑.
我唯一能想到的是firewall-cmd –add-icmp-block,但我找不到似乎与timestamp或timestamp回复相关的icmptype.
可用的类型(firewall-cmd –get-icmptypes)如下:
destination-unreachable echo-reply echo-request参数 – 问题重定向路由器 – 广告路由器 – 请求源 – 超时超时.
如何使用firewalld阻止ICMP时间戳请求?
# firewall-cmd --get-icmptypes destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded timestamp-reply timestamp-request
解析器(/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.py)不仅限于这些类型,并且允许扩展:
首先,根据man iptables-extensions(8),部分icmp:
icmp (IPv4-specific)
This extension can be used if `–protocol icmp’ is specified. It provides the following option:06001
icmp6 (IPv6-specific)
This extension can be used if--protocol ipv6-icmp' or–protocol icmpv6′ is specified. It provides the following option:06002
您引用的两种类型是IPv4特定的,因此您应该使用以下内容找出iptables识别的相应名称:
# iptables -p icmp -h | grep timestamp timestamp-request timestamp-reply
现在,如果您检查firewalld包的内容,您将找到存储预定义ICMP类型的位置:
# rpm -ql firewalld | grep icmptype /etc/firewalld/icmptypes /usr/lib/firewalld/icmptypes/destination-unreachable.xml /usr/lib/firewalld/icmptypes/echo-reply.xml /usr/lib/firewalld/icmptypes/echo-request.xml /usr/lib/firewalld/icmptypes/parameter-problem.xml /usr/lib/firewalld/icmptypes/redirect.xml /usr/lib/firewalld/icmptypes/router-advertisement.xml /usr/lib/firewalld/icmptypes/router-solicitation.xml /usr/lib/firewalld/icmptypes/source-quench.xml /usr/lib/firewalld/icmptypes/time-exceeded.xml /usr/lib/firewalld/xmlschema/icmptype.xsd /usr/share/man/man5/firewalld.icmptype.5.gz
如果检查上面引用的解析器,在与iptables交谈时,您会看到它使用XML文件名作为ICMP类型,因此您需要使用上面找到的ICMP类型为要使用的ICMP类型编写两个新文件.用户创建的ICMP类型应存储在/ etc / firewalld / icmptypes中.
# cat timestamp-request.xml <?xml version="1.0" encoding="utf-8"?> <icmptype> <short>Timestamp Request</short> <description>This message is used for time synchronization.</description> <destination ipv4="yes"/> <destination ipv6="no"/> </icmptype> #cat timestamp-reply.xml <?xml version="1.0" encoding="utf-8"?> <icmptype> <short>Timestamp Reply</short> <description>This message is used to reply to a timestamp message.</description> <destination ipv4="yes"/> <destination ipv6="no"/> </icmptype>
你最终得到:
# ll -Z /etc/firewalld/icmptypes -rw-r--r--. root root system_u:object_r:firewalld_etc_rw_t:s0 timestamp-reply.xml -rw-r--r--. root root system_u:object_r:firewalld_etc_rw_t:s0 timestamp-request.xml
使用提供的XSD验证它们:
# xmllint --schema /usr/lib/firewalld/xmlschema/icmptype.xsd timestamp-request.xml timestamp-request.xml validates #xmllint --noout --schema /usr/lib/firewalld/xmlschema/icmptype.xsd timestamp-reply.xml timestamp-reply.xml validates
重新加载防火墙:
# firewall-cmd --reload
最后添加它们:
# firewall-cmd --add-icmp-block=timestamp-request # firewall-cmd --add-icmp-block=timestamp-reply # firewall-cmd --list-icmp-blocks timestamp-reply timestamp-request
您可以检查它们是否已添加直接查看iptables规则:
iptables -nvL | grep icmp 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13 reject-with icmp-host-prohibited 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 14 reject-with icmp-host-prohibited 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 13 reject-with icmp-host-prohibited 0 0 REJECT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 14 reject-with icmp-host-prohibited
类型13和14是新添加的ICMP types.
作为参考,您可以阅读firewalld.icmptypes(5)联机帮助页.
这些ICMP类型已包含在upstream中.