Disable TCP timestamps on Linux

updated:  09/2018

2018-09-06 11_28_54-Selection_001b.png

Ref: https://www.exploresecurity.com/testing-for-tcp-ip-timestamps/


It is possible to estimate the current uptime of a Linux machine remotely. It's preferable to disable TCP timestamps on your systems. The less information attackers can get, the better of you are.


To dynamically disable TCPtime stamping,run the following command:

root@thunderchicken:~# echo 0 > /proc/sys/net/ipv4/tcp_timestamps

To make that change permanent though, you need to add the following line to /etc/sysctl.conf:

net.ipv4.tcp_timestamps = 0


To be on the safe side, add the following 2 lines to your firewall script:

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP

iptables -A OUTPUT -p icmp --icmp-type timestamp-reply -j DROP


Simple real time script to audit your systems:

subject="PCI-TEST 251"
hostname=`hostname | sed -e 's/\..*$//'`
/bin/rm -if $FILEOUT
echo " Rescan audit Ref: 2.51 - Responding to TCP timestamp queries. " >> $FILEOUT
echo " Using such duration requests, the so-called "uptime" of a system can be determined. A high "Uptime" allows conclu
sions on not installed kernel patches, as each kernel update is accompanied by a restart of the system and thus a reset
of Uptime. "  >> $FILEOUT
while read line; do
    echo $line    >> $FILEOUT
        LL=`echo $line | cut -d":" -f1`
        NN=`echo $line | cut -d":" -f2`
                hping3 $LL  --tcp-timestamp -c 5 -S -p $NN      >> $FILEOUT  2>&1
    echo "-----------------------------------------------------------------------------------------" >> $FILEOUT
done < 251.txt