Linux TCP Flaw
Hi
So after reading this, felt I should apply the fix to a CentOS6 VPS that I have. http://www.zdnet.com/article/linux-tcp-flaw-lets-anyone-hijack-internet-traffic/
The article doesn’t talk about CentOS or Redhat, but I assume the problem is the same, and hoping the solution is the same. However that doesn’t seem to be the case.
[root@vps ~]# uname -r
2.6.32-042stab108.7
[root@vps ~]# sysctl -a | grep ack_limit net.ipv4.tcp_challenge_ack_limit = 100
[root@vps ~]# vi /etc/sysctl.conf
> Append
> net.ipv4.tcp_challenge_ack_limit = 999999999
> to end of file
[root@vps ~]# sysctl -p net.ipv4.ip_forward = 0
net.ipv4.tcp_syncookies = 1
error: permission denied on key ‘net.bridge.bridge-nf-call-ip6tables’
error: permission denied on key ‘net.bridge.bridge-nf-call-iptables’
error: permission denied on key ‘net.bridge.bridge-nf-call-arptables’
error: permission denied on key ‘net.ipv4.tcp_challenge_ack_limit’
[root@vps ~]# sysctl -a | grep ack_limit net.ipv4.tcp_challenge_ack_limit = 100
Am I getting a permission denied because of there is a different solution, or the problem doesn’t apply to our VPS or some other reason?
Regards
Andrew Dent
10 thoughts on - Linux TCP Flaw
That’s not a CentOS kernel, it’s an openvz kernel that is not provided by CentOS. The fixes and workarounds shown on the internet will not work with that kernel.
I suggest you find a better VPS provider, what you have is essentially a glorified chroot, not a real VPS and there are many aspects of CentOS
that are simply broken in that model.
Peter
Not needed. This affects 3.6+ kernels. You don’t have one of those.
It affects RHEL6 which runs 2.6.32, they backported the features that it affects. If the above openvz kernel was based on a RHEL6 kernel (and I’d guess it was) then it’s affected.
Peter
If this feature was backported, then it surely may be the case although I’ve not seen any reference indicating that. If you wouldn’t mind including a link that indicates this, that would be appreciated.
Thanks, Barry
https://access.redhat.com/security/cve/cve-2016-5696 says CentOS 6 is affected.
I stand corrected. Thanks!
Barry
Thanks for the info Peter. The VPS is running on a Plesk environment.
—— Original Message —-
–mweGVunvt6gRw8Wfx8TK7f5jABSTvcS6p Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Right, and in a Plesk environment there is only one kernel on the main machine, and all the VPS machines use it. So the hosting provider has to make all kernel mods.
–mweGVunvt6gRw8Wfx8TK7f5jABSTvcS6p
Would a successful attack on the IP address of a VPS in a Plesk environment expose the VPS, the Virtual Host or both (and all other VPSs)?
—— Original Message —-
It would “expose” the one individual TCP connection that was attacked.