mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
Re-enable (default) secure_redirects
for ICMP redirect messages
This commit is contained in:
parent
d2563ed923
commit
88c88187f2
@ -72,8 +72,7 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
|||||||
from all interfaces to prevent IP spoofing.
|
from all interfaces to prevent IP spoofing.
|
||||||
|
|
||||||
- Disable ICMP redirect acceptance and redirect sending messages to
|
- Disable ICMP redirect acceptance and redirect sending messages to
|
||||||
prevent man-in-the-middle attacks and minimize information disclosure. If
|
prevent man-in-the-middle attacks and minimize information disclosure.
|
||||||
ICMP redirect messages are permitted, only do so from approved gateways.
|
|
||||||
|
|
||||||
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
||||||
|
|
||||||
|
@ -260,6 +260,9 @@ net.ipv4.conf.default.rp_filter=1
|
|||||||
## Disable ICMP redirect acceptance and redirect sending messages.
|
## Disable ICMP redirect acceptance and redirect sending messages.
|
||||||
## Prevents man-in-the-middle attacks and minimizes information disclosure.
|
## Prevents man-in-the-middle attacks and minimizes information disclosure.
|
||||||
##
|
##
|
||||||
|
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing
|
||||||
|
## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
|
||||||
|
## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html
|
||||||
## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
|
## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
|
||||||
##
|
##
|
||||||
net.ipv4.conf.all.accept_redirects=0
|
net.ipv4.conf.all.accept_redirects=0
|
||||||
@ -269,12 +272,6 @@ net.ipv4.conf.default.send_redirects=0
|
|||||||
net.ipv6.conf.all.accept_redirects=0
|
net.ipv6.conf.all.accept_redirects=0
|
||||||
net.ipv6.conf.default.accept_redirects=0
|
net.ipv6.conf.default.accept_redirects=0
|
||||||
|
|
||||||
## Accept ICMP redirect messages only for approved gateways.
|
|
||||||
## If ICMP redirect messages are permitted, only useful if managing a default gateway list.
|
|
||||||
##
|
|
||||||
net.ipv4.conf.all.secure_redirects=0
|
|
||||||
net.ipv4.conf.default.secure_redirects=0
|
|
||||||
|
|
||||||
## Ignore ICMP echo requests.
|
## Ignore ICMP echo requests.
|
||||||
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
|
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
|
||||||
##
|
##
|
||||||
|
Loading…
Reference in New Issue
Block a user