Solved

Disable Tcp_timestamp : applicable to Web servers only or App & DB as well?

Posted on 2014-11-13
3
558 Views
Last Modified: 2014-12-12
When VA scanner scan & recommend to disable TCP_timestamp,
is this something we disable at Web only or needs to be done at
App & DB too?    We can't do it at LB level due to an impact.

Refer to :
http://www.tmltechnologies.com/html-2012/index.php/linux-rescue-kits/82-secret/91-disable-tcp-timestamps-on-linux
   Issue using root:
    # echo 0 > /proc/sys/net/ipv4/tcp_timestamps
          & to make it stay across reboots,
    add the following line to /etc/sysctl.conf:
        net.ipv4.tcp_timestamps = 0
 
Create Solaris iptables firewall rules as additional enhancement:
   iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
   iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
 
 
 
 
For Windows 2008 R2:
https://social.technet.microsoft.com/Forums/en-US/d4015aa9-0613-473e-8950-a3b3d3e72b04/i-have-security-vulnerability-tcp-timestamp-response-on-w2k3-w2k8-servers-how-to-fix-it?forum=winserversecurity     :
    Add & set Tcp1323Opts value to 0 in registry HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Also add the equivalent firewall rules in Windows & reboot Windows server
0
Comment
Question by:sunhux
3 Comments
 

Author Comment

by:sunhux
ID: 40442998
From googling around, I noticed Tcp_timestamp disabling
are done on web servers only, is this correct or it ought to
be done on app & DB servers as well?
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 300 total points
ID: 40460143
Most admins consider that the Risk/Benefit of Tcp_timestamp disabling is just not worth it.  The "RISK" is very light, it does not provide an exploit in its own right, as I am sure you have read already.

It is ANY server that communicates with TCP that is "affected" not just web servers.

There can be unintended consequences that lead to a dramatic loss in performance and as the "RISK" is that somebody will know how long your server has been on or them knowing the OS you use, I would put a red line through it.

Risk assessment is not just about following all recommendations. It is about acknowledging that you have understood a "RISK" and made a business decision on the potential for loss verses the potential for loss in performance.  
As I said, Most consider the Risk and mark it as "Noted".
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40460388
Best tuning advice would be to leave everything at defaults and dont fix what is not broken.

Some points:
1) Are timestamps derived from system time or random? In second case there is no security advantage in disabling them
2) Either way - is reading timer or generating few pseudo-random bits expensive on your system? Not on Linux on good hardware, but there are some bad seeds around e.g virtualisation.
3) Do you have more than two million of inflight packets to make use of sequence number roll-over protection that timestamps offers? (Like terabyte of tcp buffer)? - OK - it might be useful then, but then again - which operating systems implement this feature?
4) When you flip just 10 sysctl switches how do you identify source of problem? By repeating test 1024 times with all possible flip switch positions?
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to get maximum transfer speed over LAN 4 77
Nimble Storage 3 63
ERR_NAME_NOT_RESOLVED 7 19
Home wireless security 10 46
Here are the five steps I suggest to every sysadmin to fix the fall-out from a security breach.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
An overview on how to enroll an hourly employee into the employee database and how to give them access into the clock in terminal.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now