From 141b84c40de76988ec78bdccf1c1d67fc4367b3f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:42:56 +0000 Subject: [PATCH] Provide option to deny sending and receiving shared media redirects --- README.md | 5 ++++- usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ed9e4d7..50b3cf0 100644 --- a/README.md +++ b/README.md @@ -102,12 +102,15 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Deny sending and receiving shared media redirects to reduce + the risk of IP spoofing attacks. + - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. - Optional - Respond to ARP requests only if the target IP address is on-link, preventing some IP spoofing attacks. - + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index a2c3198..c43ca19 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,17 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Deny sending and receiving RFC1620 shared media redirects. +## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs. +## Stops the kernel from sending ICMP redirects to specific networks from the connected network. +## This variable overrides the use secure_redirects. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://datatracker.ietf.org/doc/html/rfc1620 +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## +#net.ipv4.conf.*.shared_media=0 + ## Enable ARP (Address Resolution Protocol) filtering. ## Prevents the Linux kernel from handling the ARP table globally ## Can mitigate some ARP spoofing and ARP cache poisoning attacks.