mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-23 01:03:35 +07:00
Code Issues Packages Projects Releases Wiki Activity

Provide option to enable ARP filtering

Browse Source
This commit is contained in:
raja-grewal 2024-11-13 05:40:21 +00:00 committed by GitHub
parent c2aae73ce1
commit a25d4f8df8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -102,6 +102,9 @@ Networking:
- Disable ICMP redirect acceptance and redirect sending messages to prevent - Disable ICMP redirect acceptance and redirect sending messages to prevent
man-in-the-middle attacks and minimize information disclosure. man-in-the-middle attacks and minimize information disclosure.
- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
cache poisoning attacks.
- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
via man-in-the-middle and denial-of-service attacks. via man-in-the-middle and denial-of-service attacks.

9
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -443,6 +443,15 @@ net.ipv4.conf.*.send_redirects=0
net.ipv6.conf.*.accept_redirects=0 net.ipv6.conf.*.accept_redirects=0
#net.ipv4.conf.*.secure_redirects=1 #net.ipv4.conf.*.secure_redirects=1
## Enable ARP (Address Resolution Protocol) filtering.
## Prevents the Linux kernel from handling the ARP table globally
## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
##
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
##
#net.ipv4.conf.*.arp_filter=1
## Drop gratuitous ARP (Address Resolution Protocol) packets. ## Drop gratuitous ARP (Address Resolution Protocol) packets.
## Stops ARP responses sent by a device without being explicitly requested. ## Stops ARP responses sent by a device without being explicitly requested.
## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.