OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: Julien on April 25, 2018, 01:13:24 pm

Title: Vulnerability test
Post by: Julien on April 25, 2018, 01:13:24 pm
Hi Guys,
today i've done a Vulnerability test toward the appliance.
the result comes back with TCP timestamps
i know the risk is low,the attacker need to know how long your system is on.
is this something we can get fixed ? or need some tunable tricks ?
thank you
Title: Re: Vulnerability test
Post by: BeNe on April 25, 2018, 02:02:58 pm
Please try to set the value of net.inet.tcp.rfc1323 to 0 by running the following command:
Code: [Select]
sysctl -w net.inet.tcp.rfc1323=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
Code: [Select]
net.inet.tcp.rfc1323=0
Source --> https://pseudobsd.tumblr.com/post/87704883767/disabling-tcp-timestamp-response-on-freebsd
Title: Re: Vulnerability test
Post by: Julien on April 25, 2018, 05:59:14 pm
Please try to set the value of net.inet.tcp.rfc1323 to 0 by running the following command:
Code: [Select]
sysctl -w net.inet.tcp.rfc1323=0
Additionally, put the following value in the default sysctl configuration file, generally sysctl.conf:
Code: [Select]
net.inet.tcp.rfc1323=0
Source --> https://pseudobsd.tumblr.com/post/87704883767/disabling-tcp-timestamp-response-on-freebsd
will this value be overwrite  after the updates ?
Title: Re: Vulnerability test
Post by: Oxygen61 on April 25, 2018, 09:16:01 pm
Quote
will this value be overwrite  after the updates ?
probably, sadly. :(

If you find some time, can you check if it is enough to add net.inet.tcp.rfc1323=0
to the tunables in [System: Settings: Tunables] ?
This may work aswell and even survive any upcoming updates. Besides that i would recommend to write down all these tunables somewhere, in case an update wrecks all additional made settings. :)

Title: Re: Vulnerability test
Post by: Julien on April 26, 2018, 11:41:52 am
Quote
will this value be overwrite  after the updates ?
probably, sadly. :(

If you find some time, can you check if it is enough to add net.inet.tcp.rfc1323=0
to the tunables in [System: Settings: Tunables] ?
This may work aswell and even survive any upcoming updates. Besides that i would recommend to write down all these tunables somewhere, in case an update wrecks all additional made settings. :)
Thank you for your answer.
after every changes we makes we take a backup.