Thursday, 4 July 2013

How to block ICMP timestamp requests on AIX

Question

How do I prevent AIX from replying to ICMP timestamp requests?

Answer

ICMP timestamp requests and replies can be blocked using ip filters
The filesets for ip filters (ipfl.rte and ipfl.man.en_US) can be found on the AIX 5.3 and AIX 6.1 Expansion Pack media.
Once the filesets are installed, you will need to create configuration file for ipf
# vi /etc/ipf.conf

# Block ICMP timestamp requests and replies

block in log proto icmp from any to any icmp-type 13 #timestamp

block in log proto icmp from any to any icmp-type 14 #timestamp reply

Load the IP filter kernel extension
# /usr/lib/methods/cfg_ipf -l
Load the IP filter rules
# ipf -f /etc/ipf.conf
Confirm the rules were loaded
# ipfstat -i
block in log proto icmp from any to any icmp-type timest

block in log proto icmp from any to any icmp-type timestrep

Start the IP filter logging daemon, if desired
# /usr/sbin/ipmon -s -D
To load the IP filter kernel extension and rules at boot, you can create a script to be called from the inidivab
# vi /etc/rc.ipf
    #!/bin/ksh

    #

    # Script to load ip filter kernel extension,

    # filter rules, and logging

    #

    # Load IPFilter into kernel

    /usr/lib/methods/cfg_ipf -l

    # Load ipmon and log to syslog

    /usr/sbin/ipmon -s -D

    # Load IP filter rules

    /usr/sbin/ipf -Fa -f /etc/ipf.conf
     
Make the script executable
# chmod 755 /etc/rc.ipf
Then add an entry to the inidivab to execute the script at run level 2
# mkitab "rcipf:2:once:/etc/rc.ipf > /dev/console 2>&1 # Load IP Filter"
ipmon will send messages to syslog using the local0 facility. If you wish to log those messages, you can configure syslog to do so.
# vi /etc/syslog.conf
Add the following line:
local0.debug     /var/adm/local0.log
# touch /var/adm/local0.log
# refresh -s syslogd

Testing:

AIX does not have any native utilities to generate an ICMP timestamp request, but third-party programs like nmap and icmpush can create such requests. Alternately, you can run the scan that first reported the vulnerability, as it would have sent a request during its testing.

0 blogger-disqus:

Post a comment