Patch for linux kernel 2.2.14 to discard packets that many OS detection tools use to query the TCP/IP stack. Includes logging of the dropped query packets.
9c0ecff20731cb815594f081b4d9b1b3f9c2d6985a5315b1fa95aec2c1ae3fcf
diff -urP linux/Documentation/Configure.help linux/Documentation/Configure.help
--- linux/Documentation/Configure.help Tue Jan 4 13:12:10 2000
+++ linux/Documentation/Configure.help Thu Feb 10 22:49:43 2000
@@ -1220,6 +1220,26 @@
If unsure, say Y.
+TCP stack options
+CONFIG_TCPIP_STACK
+ If you say Y here, note that these options are not enabled by
+ default; you can enable them by saying Y to "/proc filesystem
+ support" and "Sysctl support" below and executing the commands
+
+ echo 1 >/proc/sys/net/ipv4/tcp_ignore_ack
+ echo 1 >/proc/sys/net/ipv4/tcp_ignore_bogus
+ echo 1 >/proc/sys/net/ipv4/tcp_ignore_synfin
+ echo 1 >/proc/sys/net/ipv4/udp_ignore_pu
+
+ at boot time after the proc filesystem has been mounted.
+
+ If security is more important, say Y.
+
+Log all packets with bad tcp flags
+CONFIG_TCPIP_STACK_LOG
+ This turns on a logging facility that logs all tcp packets with
+ bad flags. If you said Y to "TCP stack options", say Y.
+
Sun floppy controller support
CONFIG_BLK_DEV_SUNFD
This is support for floppy drives on Sun SPARC workstations. Say Y
diff -urP linux/arch/i386/defconfig linux/arch/i386/defconfig
--- linux/arch/i386/defconfig Wed Aug 25 20:29:46 1999
+++ linux/arch/i386/defconfig Thu Feb 10 21:22:39 2000
@@ -117,6 +117,8 @@
# CONFIG_NET_IPGRE is not set
# CONFIG_IP_ALIAS is not set
# CONFIG_SYN_COOKIES is not set
+CONFIG_TCPIP_STACK=y
+CONFIG_TCPIP_STACK_LOG=y
#
# (it is safe to leave these untouched)
diff -urP linux/include/linux/sysctl.h linux/include/linux/sysctl.h
--- linux/include/linux/sysctl.h Tue Jan 4 13:12:25 2000
+++ linux/include/linux/sysctl.h Thu Feb 10 21:39:48 2000
@@ -227,7 +227,11 @@
NET_IPV4_ICMP_ECHOREPLY_RATE=63,
NET_IPV4_ICMP_IGNORE_BOGUS_ERROR_RESPONSES=64,
NET_IPV4_IGMP_MAX_MEMBERSHIPS=65,
- NET_IPV4_ALWAYS_DEFRAG=67
+ NET_IPV4_ALWAYS_DEFRAG=67,
+ NET_TCP_STACK_SYNFIN=68,
+ NET_TCP_STACK_BOGUS=69,
+ NET_TCP_STACK_ACK=70,
+ NET_UDP_PU=71
};
enum {
diff -urP linux/net/ipv4/Config.in linux/net/ipv4/Config.in
--- linux/net/ipv4/Config.in Tue Oct 26 20:53:42 1999
+++ linux/net/ipv4/Config.in Thu Feb 10 22:43:26 2000
@@ -73,6 +73,10 @@
fi
fi
bool 'IP: TCP syncookie support (not enabled per default)' CONFIG_SYN_COOKIES
+bool 'IP: TCP stack options (not enabled per default)' CONFIG_TCPIP_STACK
+if [ "$CONFIG_TCPIP_STACK" = "y" ]; then
+ bool 'Log all packets with bad tcp flags' CONFIG_TCPIP_STACK_LOG
+fi
comment '(it is safe to leave these untouched)'
#bool 'IP: PC/TCP compatibility mode' CONFIG_INET_PCTCP
tristate 'IP: Reverse ARP' CONFIG_INET_RARP
diff -urP linux/net/ipv4/sysctl_net_ipv4.c linux/net/ipv4/sysctl_net_ipv4.c
--- linux/net/ipv4/sysctl_net_ipv4.c Tue Oct 26 20:53:42 1999
+++ linux/net/ipv4/sysctl_net_ipv4.c Thu Feb 10 22:24:53 2000
@@ -63,6 +63,10 @@
extern int sysctl_tcp_rfc1337;
extern int sysctl_tcp_syn_taildrop;
extern int sysctl_max_syn_backlog;
+extern int sysctl_tcp_ignore_synfin;
+extern int sysctl_tcp_ignore_bogus;
+extern int sysctl_tcp_ignore_ack;
+extern int sysctl_udp_ignore_pu;
/* From icmp.c */
extern int sysctl_icmp_destunreach_time;
@@ -172,6 +176,16 @@
#ifdef CONFIG_SYN_COOKIES
{NET_TCP_SYNCOOKIES, "tcp_syncookies",
&sysctl_tcp_syncookies, sizeof(int), 0644, NULL, &proc_dointvec},
+#endif
+#ifdef CONFIG_TCPIP_STACK
+ {NET_TCP_STACK_SYNFIN, "tcp_ignore_synfin",
+ &sysctl_tcp_ignore_synfin, sizeof(int), 0644, NULL, &proc_dointvec},
+ {NET_TCP_STACK_BOGUS, "tcp_ignore_bogus",
+ &sysctl_tcp_ignore_bogus, sizeof(int), 0644, NULL, &proc_dointvec},
+ {NET_TCP_STACK_ACK, "tcp_ignore_ack",
+ &sysctl_tcp_ignore_ack, sizeof(int), 0644, NULL, &proc_dointvec},
+ {NET_UDP_PU, "udp_ignore_pu",
+ &sysctl_udp_ignore_pu, sizeof(int), 0644, NULL, &proc_dointvec},
#endif
{NET_TCP_STDURG, "tcp_stdurg", &sysctl_tcp_stdurg,
sizeof(int), 0644, NULL, &proc_dointvec},
diff -urP linux/net/ipv4/tcp_input.c linux/net/ipv4/tcp_input.c
--- linux/net/ipv4/tcp_input.c Tue Jan 4 13:12:27 2000
+++ linux/net/ipv4/tcp_input.c Thu Feb 10 21:48:39 2000
@@ -64,9 +64,15 @@
#include <linux/ipsec.h>
#ifdef CONFIG_SYSCTL
-#define SYNC_INIT 0 /* let the user enable it */
+#define SYNC_INIT 0 /* let the user enable these */
+#define TCP_SYNFIN 0
+#define TCP_BOGUS 0
+#define TCP_ACK 0
#else
#define SYNC_INIT 1
+#define TCP_SYNFIN 1
+#define TCP_BOGUS 1
+#define TCP_ACK 1
#endif
extern int sysctl_tcp_fin_timeout;
@@ -79,6 +85,10 @@
int sysctl_tcp_sack = 1;
int sysctl_tcp_syncookies = SYNC_INIT;
+int sysctl_tcp_ignore_synfin = TCP_SYNFIN;
+int sysctl_tcp_ignore_bogus = TCP_BOGUS;
+int sysctl_tcp_ignore_ack = TCP_ACK;
+
int sysctl_tcp_stdurg;
int sysctl_tcp_rfc1337;
diff -urP linux/net/ipv4/tcp_ipv4.c linux/net/ipv4/tcp_ipv4.c
--- linux/net/ipv4/tcp_ipv4.c Tue Jan 4 13:12:27 2000
+++ linux/net/ipv4/tcp_ipv4.c Thu Feb 10 21:51:38 2000
@@ -67,6 +67,9 @@
extern int sysctl_tcp_window_scaling;
extern int sysctl_tcp_sack;
extern int sysctl_tcp_syncookies;
+extern int sysctl_tcp_ignore_synfin;
+extern int sysctl_tcp_ignore_bogus;
+extern int sysctl_tcp_ignore_ack;
extern int sysctl_ip_dynaddr;
extern __u32 sysctl_wmem_max;
extern __u32 sysctl_rmem_max;
@@ -1735,6 +1738,21 @@
len < (th->doff * 4))
goto bad_packet;
+ if(sysctl_tcp_ignore_synfin) {
+ if(th->fin && th->syn)
+ goto tcp_bad_flags;
+ }
+
+ if(sysctl_tcp_ignore_bogus) {
+ if(!(th->ack || th->syn || th->rst))
+ goto tcp_bad_flags;
+ }
+
+ if(sysctl_tcp_ignore_ack) {
+ if(th->fin && th->psh && th->urg)
+ goto tcp_bad_flags;
+ }
+
#ifdef CONFIG_IP_TRANSPARENT_PROXY
if (IPCB(skb)->redirport)
sk = tcp_v4_proxy_lookup(th->dest, skb->nh.iph->saddr, th->source,
@@ -1768,6 +1786,30 @@
__skb_queue_tail(&sk->back_log, skb);
return 0;
+
+#ifdef CONFIG_TCPIP_STACK_LOG
+tcp_bad_flags:
+ printk(KERN_INFO
+ "Packet log: badflag DENY %s PROTO=TCP %d.%d.%d.%d:%d "
+ "%d.%d.%d.%d:%d L=%hu:%u:%u S=0x%2.2hX I=%hu:%u:%u "
+ "T=%hu %c%c%c%c%c%c\n",
+ skb->dev->name, NIPQUAD(skb->nh.iph->saddr), ntohs(th->source),
+ NIPQUAD(skb->nh.iph->daddr), ntohs(th->dest),
+ ntohs(skb->nh.iph->tot_len), skb->len, skb->len - th->doff*4,
+ skb->nh.iph->tos, ntohs(skb->nh.iph->id), ntohl(th->seq),
+ ntohl(th->ack_seq), skb->nh.iph->ttl,
+ th->ack ? 'A' : '.',
+ th->syn ? 'S' : '.',
+ th->fin ? 'F' : '.',
+ th->rst ? 'R' : '.',
+ th->psh ? 'P' : '.',
+ th->urg ? 'U' : '.' );
+ goto bad_packet;
+
+#else
+tcp_bad_flags:
+ goto bad_packet;
+#endif
no_tcp_socket:
tcp_v4_send_reset(skb);
diff -urP linux/net/ipv4/udp.c linux/net/ipv4/udp.c
--- linux/net/ipv4/udp.c Mon Aug 9 15:05:10 1999
+++ linux/net/ipv4/udp.c Thu Feb 10 22:31:34 2000
@@ -115,6 +115,12 @@
#include <net/route.h>
#include <net/checksum.h>
+#ifdef CONFIG_SYSCTL
+#define UDP_PU 0
+#else
+#define UDP_PU 1
+#endif
+
/*
* Snmp MIB for the UDP layer
*/
@@ -126,6 +132,8 @@
/* Shared by v4/v6 udp. */
int udp_port_rover = 0;
+int sysctl_udp_ignore_pu = UDP_PU;
+
static int udp_v4_get_port(struct sock *sk, unsigned short snum)
{
SOCKHASH_LOCK();
@@ -1132,8 +1140,10 @@
goto csum_error;
#endif
udp_statistics.UdpNoPorts++;
- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
-
+ if(!(sysctl_udp_ignore_pu)) {
+ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
+ }
+
/*
* Hmm. We got an UDP broadcast to a port to which we
* don't wanna listen. Ignore it.