HPE Community
Operating System - HP-UX
1820475 Members
3263 Online
109624 Solutions
New Discussion

how to generate initial TCP sequence numbers that comply with RFC1948

 
SOLVED
Go to solution
Vincent_5
Super Advisor

‎12-16-2017 06:02 AM

‎12-16-2017 06:02 AM

how to generate initial TCP sequence numbers that comply with RFC1948

Hi Guys,

   Can someone help, I need to perform the following script to use more random TCP sequence numbers upon system startup, can advice base on the script below what should I do

Create/open the file /sbin/rc2.d/S999tcpisn ( This file cannot be found on my system )

Add the following line

ndd -set /dev/tcp tcp_idn_passprase=<random string>

 

Kindly help

 

Regards

Vincent

 

 

nothing is better than to know more
0 Kudos
Reply
2 REPLIES 2
Steven Schweda
Honored Contributor

‎12-16-2017 07:16 AM

‎12-16-2017 07:16 AM

Re: how to generate initial TCP sequence numbers that comply with RFC1948

> [...] I need to perform the following script [...]

   Says who?  How did you determine this?

> Create/open the file /sbin/rc2.d/S999tcpisn ( This file cannot be
> found on my system )

   What is "my system"?

      uname -a

   Perhaps this file is missing because it's part of a sortware package
(patch?) which has not been installed.

0 Kudos
Reply
Bill Hassell
Honored Contributor

‎12-18-2017 08:32 PM

‎12-18-2017 08:32 PM

Solution

Re: how to generate initial TCP sequence numbers that comply with RFC1948

This idea is part of a larger document from CIS:
https://www.cisecurity.org/wp-content/uploads/2017/04/CIS_HP-UX_11i_Benchmark_v1.5.0.pdf?x60581

The S999tcpisn is a somewhat arbitrary name for a new rc script with 1 line (the ndd line).
It simply adds a seed value for the TCP sequence numbering.
NOTE:
The ndd name is NOT tcp_idn_passphrase, it is tcp_isn_passphrase
(hint: ndd -h supported | grep passphrase)

However, the example fails to complete the script with an actual random value.
The following commands will accomplish the task:

# echo "ndd -set /dev/tcp tcp_isn_passphrase $RANDOM$RANDOM" > /sbin/rc2.d/S999tcpisn
# chmod 755 /sbin/rc2.d/S999tcpisn

Now each time you reboot, the sequence number generator for TCP will start at a new location.

 

 

 



Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.