Solved

Disable Tcp_timestamp : applicable to Web servers only or App & DB as well?

Posted on 2014-11-13
3
607 Views
Last Modified: 2014-12-12
When VA scanner scan & recommend to disable TCP_timestamp,
is this something we disable at Web only or needs to be done at
App & DB too?    We can't do it at LB level due to an impact.

Refer to :
http://www.tmltechnologies.com/html-2012/index.php/linux-rescue-kits/82-secret/91-disable-tcp-timestamps-on-linux
   Issue using root:
    # echo 0 > /proc/sys/net/ipv4/tcp_timestamps
          & to make it stay across reboots,
    add the following line to /etc/sysctl.conf:
        net.ipv4.tcp_timestamps = 0
 
Create Solaris iptables firewall rules as additional enhancement:
   iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP
   iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP
 
 
 
 
For Windows 2008 R2:
https://social.technet.microsoft.com/Forums/en-US/d4015aa9-0613-473e-8950-a3b3d3e72b04/i-have-security-vulnerability-tcp-timestamp-response-on-w2k3-w2k8-servers-how-to-fix-it?forum=winserversecurity     :
    Add & set Tcp1323Opts value to 0 in registry HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Also add the equivalent firewall rules in Windows & reboot Windows server
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Author Comment

by:sunhux
ID: 40442998
From googling around, I noticed Tcp_timestamp disabling
are done on web servers only, is this correct or it ought to
be done on app & DB servers as well?
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 300 total points
ID: 40460143
Most admins consider that the Risk/Benefit of Tcp_timestamp disabling is just not worth it.  The "RISK" is very light, it does not provide an exploit in its own right, as I am sure you have read already.

It is ANY server that communicates with TCP that is "affected" not just web servers.

There can be unintended consequences that lead to a dramatic loss in performance and as the "RISK" is that somebody will know how long your server has been on or them knowing the OS you use, I would put a red line through it.

Risk assessment is not just about following all recommendations. It is about acknowledging that you have understood a "RISK" and made a business decision on the potential for loss verses the potential for loss in performance.  
As I said, Most consider the Risk and mark it as "Noted".
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 200 total points
ID: 40460388
Best tuning advice would be to leave everything at defaults and dont fix what is not broken.

Some points:
1) Are timestamps derived from system time or random? In second case there is no security advantage in disabling them
2) Either way - is reading timer or generating few pseudo-random bits expensive on your system? Not on Linux on good hardware, but there are some bad seeds around e.g virtualisation.
3) Do you have more than two million of inflight packets to make use of sequence number roll-over protection that timestamps offers? (Like terabyte of tcp buffer)? - OK - it might be useful then, but then again - which operating systems implement this feature?
4) When you flip just 10 sysctl switches how do you identify source of problem? By repeating test 1024 times with all possible flip switch positions?
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question