Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

how to generate initial TCP sequence numbers that comply with RFC1948

SOLVED
Go to solution
Vincent_5
Super Advisor

how to generate initial TCP sequence numbers that comply with RFC1948

Hi Guys,

   Can someone help, I need to perform the following script to use more random TCP sequence numbers upon system startup, can advice base on the script below what should I do

Create/open the file /sbin/rc2.d/S999tcpisn ( This file cannot be found on my system )

Add the following line

ndd -set /dev/tcp tcp_idn_passprase=<random string>

 

Kindly help

 

Regards

Vincent

 

 

nothing is better than to know more
2 REPLIES
Steven Schweda
Honored Contributor

Re: how to generate initial TCP sequence numbers that comply with RFC1948

> [...] I need to perform the following script [...]

   Says who?  How did you determine this?

> Create/open the file /sbin/rc2.d/S999tcpisn ( This file cannot be
> found on my system )

   What is "my system"?

      uname -a

   Perhaps this file is missing because it's part of a sortware package
(patch?) which has not been installed.

Bill Hassell
Honored Contributor
Solution

Re: how to generate initial TCP sequence numbers that comply with RFC1948

This idea is part of a larger document from CIS:
https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_HP-UX_11i_Benchmark_v1.5.0.pdf?x60581

The S999tcpisn is a somewhat arbitrary name for a new rc script with 1 line (the ndd line).
It simply adds a seed value for the TCP sequence numbering.
NOTE:
The ndd name is NOT tcp_idn_passphrase, it is tcp_isn_passphrase
(hint: ndd -h supported | grep passphrase)

However, the example fails to complete the script with an actual random value.
The following commands will accomplish the task:

# echo "ndd -set /dev/tcp tcp_isn_passphrase $RANDOM$RANDOM" > /sbin/rc2.d/S999tcpisn
# chmod 755 /sbin/rc2.d/S999tcpisn

Now each time you reboot, the sequence number generator for TCP will start at a new location.

 

 

 



Bill Hassell, sysadmin