Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Show details regarding secure_redirects (again)

Browse Source
This commit is contained in:
Raja Grewal 2024-07-27 14:00:30 +10:00
parent 88c88187f2
commit 1445457626
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -72,7 +72,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
from all interfaces to prevent IP spoofing. from all interfaces to prevent IP spoofing.
- Disable ICMP redirect acceptance and redirect sending messages to - Disable ICMP redirect acceptance and redirect sending messages to
prevent man-in-the-middle attacks and minimize information disclosure. prevent man-in-the-middle attacks and minimize information disclosure. If
ICMP redirect messages are permitted, only do so from approved gateways.
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.

6
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -272,6 +272,12 @@ net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0
## Accept ICMP redirect messages only for approved gateways.
## If ICMP redirect messages are permitted, only useful if managing a default gateway list.
##
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1
## Ignore ICMP echo requests. ## Ignore ICMP echo requests.
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
## ##