ansible-collection-hardening
ansible-collection-hardening copied to clipboard
dev-sec
net.ipv4.tcp_timestamps
Describe the bug
- TCP Timestamps is disabled by the os_hardening role. I don't think it should.
- The comment in
defaults/main.ymlis wrong.
# Protect against wrapping sequence numbers at gigabit speeds | sysctl-07
net.ipv4.tcp_timestamps: 0
2: The comment would make sense if we enabled TCP timestamps, but we disable it. The comment should explain that we disable it and why we do it.
1: In the past it made sense to disable TCP timestamps so that an attacker could not calculate the uptime of a server. If an attacker knows that a server has been up for three months, then he also knows that the server runs a kernel that has not been patched for at least three months...
This issue was fixed by the kernel developers some time ago. The default value is 1. Previously it enabled TCP timestamps with the counter starting from zero, which made it possible to calculate the uptime.
The current behaviour is to enable TCP timestamps starting from a random value, which gives the wrong uptime if you try to calculate it.
I don't know in which kernel version this was changed, but it was a few years ago.
In my opinion the default should be 1 now just as the kernel developers intended, since turning off TCP timestamps creates performance issues on certain networks and it's not a security issue anymore.
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt https://security.stackexchange.com/questions/111794/pros-and-cons-of-disabling-tcp-timestamps
Expected behavior
Either no net.ipv4.tcp_timestamps at all in /etc/sysctl.conf or net.ipv4.tcp_timestamps = 1
If you decide to still keep TCP timestamps disabled for some reason, the comment should make sense.
Actual behavior
net.ipv4.tcp_timestamps = 0
Role Version
7.0.0
No comments here for a long time, so I figured that I will talk with myself here a bit more ;-) I am using the ansible-collection-hardening collection in an environment where I think that TCP timestamps has a performance benefit, and disabling it might create timestamp wrapping. I suspect that this is true for others as well.
See the interesting discussions about it here: https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824/10 https://gitlab.tails.boum.org/tails/tails/-/issues/17491
I know that OpenVAS complains about enabled TCP timestamps on fresh installs of RHEL7/8 and I suspect that this is why we disable TCP timestamps by default. This was the right thing to do before this patch: https://github.com/torvalds/linux/commit/95a22caee396cef0bb2ca8fafdd82966a49367bb But I don't think that anyone here is using a kernel from before 2016...
Agree with @joubbi - default now seems sane, no obvious advantage in expecting anything stronger.
tcp_timestamps - INTEGER Enable timestamps as defined in RFC1323. 0: Disabled. 1: Enable timestamps as defined in RFC1323 and use random offset for each connection rather than only using the current time. 2: Like 1, but without random offsets. Default: 1
https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
Change seems to have happened in kernel v4.1 https://github.com/torvalds/linux/commit/95a22caee396cef0bb2ca8fafdd82966a49367bb
I guess the important part of disabling net.ipv4.tcp_timestamps nowadays might be in the fact that some clients may reside behind NAT and keeping it on would affect communication with such clients. In that case keeping it off makes perfect sense, but indeed - comment must reflect the intention.
More details: https://medium.com/dataseries/why-are-linux-kernel-protocol-stacks-dropping-syn-packets-5ee5cab351a6
@rndmh3ro Is it possible to confirm that it was disabled on the first place because of the old security issue related to finding server uptime (which seems to be fixed for quite a while) and nothing else?
If it's so, and given that client port reuse is governed not only by this setting, but also by net.ipv4.tcp_tw_reuse in modern kernels (if I'm not mistaken), does it make sense to keep timestamps off?