mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-02-10 11:08:30 -05:00
Provide option to harden response to ARP requests
This commit is contained in:
raja-grewal
GitHub
parent
a25d4f8df8
commit
18aec201bf
@ -105,6 +105,9 @@ Networking:
|
|||||||
- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
|
- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
|
||||||
cache poisoning attacks.
|
cache poisoning attacks.
|
||||||
|
|
||||||
|
- Optional - Respond to ARP requests only if the target IP address is
|
||||||
|
on-link, preventing some IP spoofing attacks.
|
||||||
|
|
||||||
- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
|
- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
|
||||||
via man-in-the-middle and denial-of-service attacks.
|
via man-in-the-middle and denial-of-service attacks.
|
||||||
|
|
||||||
|
|||||||
@ -452,6 +452,13 @@ net.ipv6.conf.*.accept_redirects=0
|
|||||||
##
|
##
|
||||||
#net.ipv4.conf.*.arp_filter=1
|
#net.ipv4.conf.*.arp_filter=1
|
||||||
|
|
||||||
|
## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
|
||||||
|
## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.
|
||||||
|
##
|
||||||
|
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
|
||||||
|
##
|
||||||
|
#net.ipv4.conf.*.arp_ignore=2
|
||||||
|
|
||||||
## Drop gratuitous ARP (Address Resolution Protocol) packets.
|
## Drop gratuitous ARP (Address Resolution Protocol) packets.
|
||||||
## Stops ARP responses sent by a device without being explicitly requested.
|
## Stops ARP responses sent by a device without being explicitly requested.
|
||||||
## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
|
## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user