mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-23 01:13:40 +07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #248 from raja-grewal/secure_redirects

Browse Source 
Re-enable (default) `secure_redirects` for ICMP redirect messages
This commit is contained in:
Patrick Schleizer 2024-08-15 13:46:30 -04:00 committed by GitHub
commit dfd1c97168
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -77,9 +77,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
- Enable reverse path filtering (source validation) of packets received
from all interfaces to prevent IP spoofing.
- Disable ICMP redirect acceptance and redirect sending messages to
prevent man-in-the-middle attacks and minimize information disclosure. If
ICMP redirect messages are permitted, only do so from approved gateways.
- Disable ICMP redirect acceptance and redirect sending messages to prevent
man-in-the-middle attacks and minimize information disclosure.
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.

14
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -280,8 +280,14 @@ net.ipv4.conf.default.rp_filter=1
## Disable ICMP redirect acceptance and redirect sending messages.
## Prevents man-in-the-middle attacks and minimizes information disclosure.
## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default).
## Approving gateways requires the managing of a default gateway list.
##
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing
## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html
## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
## https://github.com/Kicksecure/security-misc/pull/248
##
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
@ -289,12 +295,8 @@ net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
## Accept ICMP redirect messages only for approved gateways.
## If ICMP redirect messages are permitted, only useful if managing a default gateway list.
##
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
#net.ipv4.conf.all.secure_redirects=1
#net.ipv4.conf.default.secure_redirects=1
## Ignore ICMP echo requests.
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.