[grsec] grsec's tcp source port randomization

Brant Williams brant at tnarb.net
Wed Apr 25 13:21:37 EDT 2007 

I understand that development of grsec is mostly a one-man-volunteer kinda 
thing, so not to be annoying or complain... just curious about this, 
although I don't know enough about tcp packet sequence prediction to 
really say whether this feature is worth the bother of this thread. =) In 
the .config below, CONFIG_GRKERNSEC_RANDNET is set, but this is to 
increase/double the entropy pool.

To illustrate what I'm talking about (bored)...

brant at nerv ~ $ uname -a
Linux nerv 2.4.34-grsec #1 SMP Sun Apr 8 17:46:16 CDT 2007 i686 Pentium 
III (Coppermine) GenuineIntel GNU/Linux
brant at nerv ~ $ telnet enterprise 22 &> /dev/null
brant at nerv ~ $ telnet enterprise 22 &> /dev/null
brant at nerv ~ $ telnet enterprise 22 &> /dev/null
brant at nerv ~ $ telnet enterprise 22 &> /dev/null
brant at nerv ~ $ telnet enterprise 22 &> /dev/null
brant at nerv ~ $ telnet enterprise 22 &> /dev/null
brant at nerv ~ $ telnet enterprise 22 &> /dev/null

brant at enterprise ~ $ netstat -p tcp
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  enterprise.ssh         nerv.32889             ESTABLISHED
tcp4       0      0  enterprise.ssh         nerv.32888             TIME_WAIT
tcp4       0      0  enterprise.ssh         nerv.32887             TIME_WAIT
tcp4       0      0  enterprise.ssh         nerv.32886             TIME_WAIT
tcp4       0      0  enterprise.ssh         nerv.32885             TIME_WAIT
tcp4       0      0  enterprise.ssh         nerv.32884             TIME_WAIT
tcp4       0      0  enterprise.ssh         nerv.32883             TIME_WAIT
tcp4       0      0  enterprise.ssh         nerv.32882             TIME_WAIT

brant at nerv ~ $ grep GRKERNSEC /usr/src/linux/.config
CONFIG_GRKERNSEC=y
# CONFIG_GRKERNSEC_LOW is not set
# CONFIG_GRKERNSEC_MID is not set
# CONFIG_GRKERNSEC_HI is not set
CONFIG_GRKERNSEC_CUSTOM=y
CONFIG_GRKERNSEC_KMEM=y
CONFIG_GRKERNSEC_IO=y
CONFIG_GRKERNSEC_PROC_MEMMAP=y
CONFIG_GRKERNSEC_BRUTE=y
CONFIG_GRKERNSEC_HIDESYM=y
CONFIG_GRKERNSEC_ACL_HIDEKERN=y
CONFIG_GRKERNSEC_ACL_MAXTRIES=3
CONFIG_GRKERNSEC_ACL_TIMEOUT=30
CONFIG_GRKERNSEC_PROC=y
# CONFIG_GRKERNSEC_PROC_USER is not set
CONFIG_GRKERNSEC_PROC_USERGROUP=y
CONFIG_GRKERNSEC_PROC_GID=1666
CONFIG_GRKERNSEC_PROC_ADD=y
CONFIG_GRKERNSEC_LINK=y
CONFIG_GRKERNSEC_FIFO=y
CONFIG_GRKERNSEC_CHROOT=y
CONFIG_GRKERNSEC_CHROOT_MOUNT=y
CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
CONFIG_GRKERNSEC_CHROOT_PIVOT=y
CONFIG_GRKERNSEC_CHROOT_CHDIR=y
CONFIG_GRKERNSEC_CHROOT_CHMOD=y
CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
CONFIG_GRKERNSEC_CHROOT_MKNOD=y
CONFIG_GRKERNSEC_CHROOT_SHMAT=y
CONFIG_GRKERNSEC_CHROOT_UNIX=y
CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
CONFIG_GRKERNSEC_CHROOT_NICE=y
CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
CONFIG_GRKERNSEC_CHROOT_CAPS=y
# CONFIG_GRKERNSEC_AUDIT_GROUP is not set
# CONFIG_GRKERNSEC_EXECLOG is not set
CONFIG_GRKERNSEC_RESLOG=y
CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
# CONFIG_GRKERNSEC_AUDIT_CHDIR is not set
CONFIG_GRKERNSEC_AUDIT_MOUNT=y
# CONFIG_GRKERNSEC_AUDIT_IPC is not set
CONFIG_GRKERNSEC_SIGNAL=y
CONFIG_GRKERNSEC_FORKFAIL=y
CONFIG_GRKERNSEC_TIME=y
CONFIG_GRKERNSEC_PROC_IPADDR=y
# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
CONFIG_GRKERNSEC_EXECVE=y
CONFIG_GRKERNSEC_SHM=y
CONFIG_GRKERNSEC_DMESG=y
# CONFIG_GRKERNSEC_TPE is not set
CONFIG_GRKERNSEC_RANDNET=y
# CONFIG_GRKERNSEC_SOCKET is not set
# CONFIG_GRKERNSEC_SYSCTL is not set
CONFIG_GRKERNSEC_FLOODTIME=5
CONFIG_GRKERNSEC_FLOODBURST=6


later.


Public GPG/PGP key for Brant Williams: 0x88E1AA9E.
Available at your friendly local public keyserver.



On Wed, 25 Apr 2007, Adam Majer wrote:

> Brant Williams wrote:
> > A couple of list members have asked where I found the grsec changelog... 
> > it's way outdated, for 2.1.0 from 2005...
> > 
> > http://www.securityfocus.com/archive/1/386374
> > 
> > So I'm still wondering when/why TCP source port randomization was 
> > removed... I've checked against grsec 2.1.10 for vanilla 2.4.34 as well as 
> > Gentoo's hardened sources 2.6.18.
> 
> http://grsecurity.net/cvs226-changelog
> 
> but it is useless because from 2005!! And the CVS seems useless. All
> that is listed in the cvsweb are old... (17 months or so). And CVS is
> ancient with the 2.4.32 kernel. 2.4 is at 2.4.34.4 right now.
> 
> - Adam
> 
> _______________________________________________
> grsecurity mailing list
> grsecurity at grsecurity.net
> http://grsecurity.net/cgi-bin/mailman/listinfo/grsecurity
>

More information about the grsecurity mailing list