Provide option to harden response to ARP requests

2024-12-22 20:53:36 +07:00 · 2024-11-13 05:41:25 +00:00 · 2024-11-13 05:41:25 +00:00 · 18aec201bf
commit 18aec201bf
parent a25d4f8df8
2 changed files with 10 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -105,6 +105,9 @@ Networking:
 - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
  cache poisoning attacks.

+- Optional - Respond to ARP requests only if the target IP address is
+  on-link, preventing some IP spoofing attacks.
+  
 - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
  via man-in-the-middle and denial-of-service attacks.

--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -452,6 +452,13 @@ net.ipv6.conf.*.accept_redirects=0
 ##
 #net.ipv4.conf.*.arp_filter=1

+## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
+## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.
+##
+## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
+##
+#net.ipv4.conf.*.arp_ignore=2
+
 ## Drop gratuitous ARP (Address Resolution Protocol) packets.
 ## Stops ARP responses sent by a device without being explicitly requested.
 ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.