From a25d4f8df88908e83e56049204aa625f1196a948 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:40:21 +0000 Subject: [PATCH] Provide option to enable ARP filtering --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index e167a87..baa450d 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,9 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP + cache poisoning attacks. + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 054dcbf..52d31de 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,15 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Enable ARP (Address Resolution Protocol) filtering. +## Prevents the Linux kernel from handling the ARP table globally +## Can mitigate some ARP spoofing and ARP cache poisoning attacks. +## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## +#net.ipv4.conf.*.arp_filter=1 + ## Drop gratuitous ARP (Address Resolution Protocol) packets. ## Stops ARP responses sent by a device without being explicitly requested. ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.