From 88c88187f2909322211cc08598717068ea7cf1d1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 24 Jul 2024 17:26:50 +1000 Subject: [PATCH 1/4] Re-enable (default) `secure_redirects` for ICMP redirect messages --- README.md | 3 +-- usr/lib/sysctl.d/990-security-misc.conf | 9 +++------ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 5e029c8..02fd18e 100644 --- a/README.md +++ b/README.md @@ -72,8 +72,7 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. from all interfaces to prevent IP spoofing. - Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. If - ICMP redirect messages are permitted, only do so from approved gateways. + prevent man-in-the-middle attacks and minimize information disclosure. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7b07033..8fe680c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -260,6 +260,9 @@ net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. ## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## net.ipv4.conf.all.accept_redirects=0 @@ -269,12 +272,6 @@ net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 -## Accept ICMP redirect messages only for approved gateways. -## If ICMP redirect messages are permitted, only useful if managing a default gateway list. -## -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 - ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## From 144545762674e914046bb94100237329320e8ece Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 27 Jul 2024 14:00:30 +1000 Subject: [PATCH 2/4] Show details regarding `secure_redirects` (again) --- README.md | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 02fd18e..5e029c8 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. from all interfaces to prevent IP spoofing. - Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. + prevent man-in-the-middle attacks and minimize information disclosure. If + ICMP redirect messages are permitted, only do so from approved gateways. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 8fe680c..39d0539 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -272,6 +272,12 @@ net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 +## Accept ICMP redirect messages only for approved gateways. +## If ICMP redirect messages are permitted, only useful if managing a default gateway list. +## +net.ipv4.conf.all.secure_redirects=1 +net.ipv4.conf.default.secure_redirects=1 + ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## From 4f7f82016015f61002ac8f778b61968c572dc7dc Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 14:16:33 +1000 Subject: [PATCH 3/4] Add reference --- usr/lib/sysctl.d/990-security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 39d0539..ba33bae 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -275,6 +275,8 @@ net.ipv6.conf.default.accept_redirects=0 ## Accept ICMP redirect messages only for approved gateways. ## If ICMP redirect messages are permitted, only useful if managing a default gateway list. ## +## https://github.com/Kicksecure/security-misc/pull/248 +## net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1 From ec3038c7bc625f6c8eddb753ffe295ff2697a717 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 13:48:53 +1000 Subject: [PATCH 4/4] Clarify `secure_redirects` --- README.md | 5 ++--- usr/lib/sysctl.d/990-security-misc.conf | 13 +++++-------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 5e029c8..4c31d90 100644 --- a/README.md +++ b/README.md @@ -71,9 +71,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Enable reverse path filtering (source validation) of packets received from all interfaces to prevent IP spoofing. -- Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. If - ICMP redirect messages are permitted, only do so from approved gateways. +- Disable ICMP redirect acceptance and redirect sending messages to prevent + man-in-the-middle attacks and minimize information disclosure. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index ba33bae..9efb03a 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -259,11 +259,14 @@ net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. +## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default). +## Approving gateways requires the managing of a default gateway list. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing ## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html ## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked +## https://github.com/Kicksecure/security-misc/pull/248 ## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 @@ -271,14 +274,8 @@ net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 - -## Accept ICMP redirect messages only for approved gateways. -## If ICMP redirect messages are permitted, only useful if managing a default gateway list. -## -## https://github.com/Kicksecure/security-misc/pull/248 -## -net.ipv4.conf.all.secure_redirects=1 -net.ipv4.conf.default.secure_redirects=1 +#net.ipv4.conf.all.secure_redirects=1 +#net.ipv4.conf.default.secure_redirects=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.