Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 17:06:45 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'raja/bad_ipv6_ra' into arraybolt3/trixie

Browse source
This commit is contained in:
Aaron Rainbolt 2025-10-15 19:01:08 -05:00
commit 29639fe69e
No known key found for this signature in database
GPG key ID: A709160D73C79109
2 changed files with 12 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
View file

@ -521,7 +521,15 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.conf.*.accept_source_route=0
net.ipv6.conf.*.accept_source_route=0
## Do not accept IPv6 router advertisements and solicitations.
## Do not accept IPv6 router advertisements (RAs) and solicitations.
## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification.
## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access.
## Flooding the network with malicious RAs can lead to denial of service attacks.
## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway.
##
## https://datatracker.ietf.org/doc/html/rfc6104
## https://datatracker.ietf.org/doc/html/rfc6105
## https://archive.conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf
##
net.ipv6.conf.*.accept_ra=0