mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-22 21:03:44 +07:00
Merge pull request #279 from raja-grewal/arp
Provide network-related hardening options via `sysctl`'s
This commit is contained in:
commit
e5b67e044b
12
README.md
12
README.md
@ -102,6 +102,18 @@ Networking:
|
||||
- Disable ICMP redirect acceptance and redirect sending messages to prevent
|
||||
man-in-the-middle attacks and minimize information disclosure.
|
||||
|
||||
- Optional - Deny sending and receiving shared media redirects to reduce
|
||||
the risk of IP spoofing attacks.
|
||||
|
||||
- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
|
||||
cache poisoning attacks.
|
||||
|
||||
- Optional - Respond to ARP requests only if the target IP address is
|
||||
on-link, preventing some IP spoofing attacks.
|
||||
|
||||
- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
|
||||
via man-in-the-middle and denial-of-service attacks.
|
||||
|
||||
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
||||
|
||||
- Ignore bogus ICMP error responses.
|
||||
|
@ -443,6 +443,48 @@ net.ipv4.conf.*.send_redirects=0
|
||||
net.ipv6.conf.*.accept_redirects=0
|
||||
#net.ipv4.conf.*.secure_redirects=1
|
||||
|
||||
## Deny sending and receiving RFC1620 shared media redirects.
|
||||
## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs.
|
||||
## Stops the kernel from sending ICMP redirects to specific networks from the connected network.
|
||||
## This variable overrides the use secure_redirects.
|
||||
##
|
||||
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
|
||||
## https://datatracker.ietf.org/doc/html/rfc1620
|
||||
## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
|
||||
##
|
||||
#net.ipv4.conf.*.shared_media=0
|
||||
|
||||
## Enable ARP (Address Resolution Protocol) filtering.
|
||||
## Prevents the Linux kernel from handling the ARP table globally
|
||||
## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
|
||||
## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
|
||||
##
|
||||
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
|
||||
##
|
||||
#net.ipv4.conf.*.arp_filter=1
|
||||
|
||||
## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
|
||||
## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.
|
||||
##
|
||||
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
|
||||
## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium
|
||||
## https://github.com/mullvad/mullvadvpn-app/pull/7141
|
||||
## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
|
||||
##
|
||||
#net.ipv4.conf.*.arp_ignore=2
|
||||
|
||||
## Drop gratuitous ARP (Address Resolution Protocol) packets.
|
||||
## Stops ARP responses sent by a device without being explicitly requested.
|
||||
## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
|
||||
## Prevents man-in-the-middle and denial-of-service attacks.
|
||||
## May cause breakages when ARP proxies are used in the network.
|
||||
##
|
||||
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
|
||||
## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
|
||||
## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
|
||||
##
|
||||
#net.ipv4.conf.*.drop_gratuitous_arp=1
|
||||
|
||||
## Ignore ICMP echo requests.
|
||||
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
|
||||
##
|
||||
|
Loading…
Reference in New Issue
Block a user