mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-23 01:13:40 +07:00
Code Issues Packages Projects Releases Wiki Activity

Add reference and move text

Browse Source
This commit is contained in:
raja-grewal 2024-11-13 05:38:03 +00:00 committed by GitHub
parent a1d1f97955
commit c2aae73ce1
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 15 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -102,6 +102,9 @@ Networking:
- Disable ICMP redirect acceptance and redirect sending messages to prevent - Disable ICMP redirect acceptance and redirect sending messages to prevent
man-in-the-middle attacks and minimize information disclosure. man-in-the-middle attacks and minimize information disclosure.
- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
via man-in-the-middle and denial-of-service attacks.
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
- Ignore bogus ICMP error responses. - Ignore bogus ICMP error responses.
@ -121,9 +124,6 @@ Networking:
- Optional - Enable IPv6 Privacy Extensions. - Optional - Enable IPv6 Privacy Extensions.
- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
via man-in-the-middle and denial-of-service attacks.
### Boot parameters ### Boot parameters
Mitigations for known CPU vulnerabilities are enabled in their strictest form Mitigations for known CPU vulnerabilities are enabled in their strictest form

23
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -443,6 +443,18 @@ net.ipv4.conf.*.send_redirects=0
net.ipv6.conf.*.accept_redirects=0 net.ipv6.conf.*.accept_redirects=0
#net.ipv4.conf.*.secure_redirects=1 #net.ipv4.conf.*.secure_redirects=1
## Drop gratuitous ARP (Address Resolution Protocol) packets.
## Stops ARP responses sent by a device without being explicitly requested.
## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
## Prevents man-in-the-middle and denial-of-service attacks.
## May cause breakages when ARP proxies are used in the network.
##
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
##
#net.ipv4.conf.*.drop_gratuitous_arp=1
## Ignore ICMP echo requests. ## Ignore ICMP echo requests.
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
## ##
@ -526,14 +538,3 @@ net.ipv4.tcp_timestamps=0
## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
## ##
#net.ipv6.conf.*.use_tempaddr=2 #net.ipv6.conf.*.use_tempaddr=2
## Drop gratuitous ARP (Address Resolution Protocol) packets.
## Stops ARP responses sent by a device without being explicitly requested.
## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
## Prevents man-in-the-middle and denial-of-service attacks.
## May cause breakages when ARP proxies are used in the network.
##
## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
##
#net.ipv4.conf.*.drop_gratuitous_arp=1