diff --git a/debian/control b/debian/control index a464eaf..8a4f6c7 100644 --- a/debian/control +++ b/debian/control @@ -43,8 +43,9 @@ Description: enhances misc security settings * The TCP/IP stack is hardened by disabling ICMP redirect acceptance, ICMP redirect sending and source routing to prevent man-in-the-middle attacks, ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood - attacks and enabling RFC1337 to protect against time-wait assassination - attacks. + attacks, enabling RFC1337 to protect against time-wait assassination + attacks and enabling reverse path filtering to prevent IP spoofing and + mitigate vulnerabilities such as CVE-2019-14899. . * Some data spoofing attacks are made harder. . diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf index 699fafb..7174c2d 100644 --- a/etc/sysctl.d/tcp_hardening.conf +++ b/etc/sysctl.d/tcp_hardening.conf @@ -33,4 +33,9 @@ net.ipv4.tcp_syncookies=1 net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 +## Enable reverse path filtering to prevent IP spoofing and +## mitigate vulnerabilities such as CVE-2019-14899. +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.rp_filter=1 + #### meta end