diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9836bc2..7c88e69 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -295,13 +295,15 @@ net.ipv4.tcp_rfc1337=1 ## Enable reverse path filtering (source validation) of packets received from all interfaces. ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. +## The second "default" command fixes a bug in the existing kernel implementation. ## ## https://en.wikipedia.org/wiki/IP_address_spoofing ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 +## https://github.com/Kicksecure/security-misc/pull/261 ## -net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.*.rp_filter=1 net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. @@ -315,14 +317,10 @@ net.ipv4.conf.default.rp_filter=1 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## https://github.com/Kicksecure/security-misc/pull/248 ## -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.default.send_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 -#net.ipv4.conf.all.secure_redirects=1 -#net.ipv4.conf.default.secure_redirects=1 +net.ipv4.conf.*.accept_redirects=0 +net.ipv4.conf.*.send_redirects=0 +net.ipv6.conf.*.accept_redirects=0 +#net.ipv4.conf.*.secure_redirects=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. @@ -342,15 +340,12 @@ net.ipv4.icmp_ignore_bogus_error_responses=1 ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing ## -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.default.accept_source_route=0 -net.ipv6.conf.all.accept_source_route=0 -net.ipv6.conf.default.accept_source_route=0 +net.ipv4.conf.*.accept_source_route=0 +net.ipv6.conf.*.accept_source_route=0 ## Do not accept IPv6 router advertisements and solicitations. ## -net.ipv6.conf.all.accept_ra=0 -net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.*.accept_ra=0 ## Disable SACK and DSACK. ## Select acknowledgements (SACKs) are a known common vector of exploitation. @@ -393,8 +388,7 @@ net.ipv4.tcp_timestamps=0 ## ## The logging of martian packets is currently disabled. ## -#net.ipv4.conf.all.log_martians=1 -#net.ipv4.conf.default.log_martians=1 +#net.ipv4.conf.*.log_martians=1 ## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. ## The temporary/privacy address is used as the source for all outgoing traffic. @@ -410,5 +404,4 @@ net.ipv4.tcp_timestamps=0 ## ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## -#net.ipv6.conf.all.use_tempaddr=2 -#net.ipv6.conf.default.use_tempaddr=2 +#net.ipv6.conf.*.use_tempaddr=2