From 88c88187f2909322211cc08598717068ea7cf1d1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 24 Jul 2024 17:26:50 +1000 Subject: [PATCH 1/5] Re-enable (default) `secure_redirects` for ICMP redirect messages --- README.md | 3 +-- usr/lib/sysctl.d/990-security-misc.conf | 9 +++------ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 5e029c8..02fd18e 100644 --- a/README.md +++ b/README.md @@ -72,8 +72,7 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. from all interfaces to prevent IP spoofing. - Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. If - ICMP redirect messages are permitted, only do so from approved gateways. + prevent man-in-the-middle attacks and minimize information disclosure. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7b07033..8fe680c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -260,6 +260,9 @@ net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. ## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## net.ipv4.conf.all.accept_redirects=0 @@ -269,12 +272,6 @@ net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 -## Accept ICMP redirect messages only for approved gateways. -## If ICMP redirect messages are permitted, only useful if managing a default gateway list. -## -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 - ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## From 144545762674e914046bb94100237329320e8ece Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 27 Jul 2024 14:00:30 +1000 Subject: [PATCH 2/5] Show details regarding `secure_redirects` (again) --- README.md | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 02fd18e..5e029c8 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. from all interfaces to prevent IP spoofing. - Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. + prevent man-in-the-middle attacks and minimize information disclosure. If + ICMP redirect messages are permitted, only do so from approved gateways. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 8fe680c..39d0539 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -272,6 +272,12 @@ net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 +## Accept ICMP redirect messages only for approved gateways. +## If ICMP redirect messages are permitted, only useful if managing a default gateway list. +## +net.ipv4.conf.all.secure_redirects=1 +net.ipv4.conf.default.secure_redirects=1 + ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## From 4f7f82016015f61002ac8f778b61968c572dc7dc Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 14:16:33 +1000 Subject: [PATCH 3/5] Add reference --- usr/lib/sysctl.d/990-security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 39d0539..ba33bae 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -275,6 +275,8 @@ net.ipv6.conf.default.accept_redirects=0 ## Accept ICMP redirect messages only for approved gateways. ## If ICMP redirect messages are permitted, only useful if managing a default gateway list. ## +## https://github.com/Kicksecure/security-misc/pull/248 +## net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1 From ec3038c7bc625f6c8eddb753ffe295ff2697a717 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 13:48:53 +1000 Subject: [PATCH 4/5] Clarify `secure_redirects` --- README.md | 5 ++--- usr/lib/sysctl.d/990-security-misc.conf | 13 +++++-------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 5e029c8..4c31d90 100644 --- a/README.md +++ b/README.md @@ -71,9 +71,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Enable reverse path filtering (source validation) of packets received from all interfaces to prevent IP spoofing. -- Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. If - ICMP redirect messages are permitted, only do so from approved gateways. +- Disable ICMP redirect acceptance and redirect sending messages to prevent + man-in-the-middle attacks and minimize information disclosure. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index ba33bae..9efb03a 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -259,11 +259,14 @@ net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. +## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default). +## Approving gateways requires the managing of a default gateway list. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing ## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html ## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked +## https://github.com/Kicksecure/security-misc/pull/248 ## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 @@ -271,14 +274,8 @@ net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 - -## Accept ICMP redirect messages only for approved gateways. -## If ICMP redirect messages are permitted, only useful if managing a default gateway list. -## -## https://github.com/Kicksecure/security-misc/pull/248 -## -net.ipv4.conf.all.secure_redirects=1 -net.ipv4.conf.default.secure_redirects=1 +#net.ipv4.conf.all.secure_redirects=1 +#net.ipv4.conf.default.secure_redirects=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. From 4bc12b07b42def786862b938e3f63c18cf874158 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 15 Aug 2024 17:51:18 +0000 Subject: [PATCH 5/5] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 81a58c9..7bab75d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 9e61e37c17524b57f185b796f2ac19ba193205a8 +Merge: 89e816d dfd1c97 +Author: Patrick Schleizer +Date: Thu Aug 15 13:47:33 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit dfd1c97168249b229495cbd873d4d8493e244663 +Merge: 89e816d ec3038c +Author: Patrick Schleizer +Date: Thu Aug 15 13:46:30 2024 -0400 + + Merge pull request #248 from raja-grewal/secure_redirects + + Re-enable (default) `secure_redirects` for ICMP redirect messages + +commit ec3038c7bc625f6c8eddb753ffe295ff2697a717 +Author: Raja Grewal +Date: Wed Aug 7 13:48:53 2024 +1000 + + Clarify `secure_redirects` + +commit 89e816dda6c5a00512b276071c4d9fe108ee63b5 +Author: Patrick Schleizer +Date: Tue Aug 6 14:01:39 2024 +0000 + + bumped changelog version + commit 967f9e257b09bc73ddb579292d507f7cb9832643 Merge: fa90918 a25aaf9 Author: Patrick Schleizer @@ -65,6 +93,12 @@ Date: Mon Aug 5 14:27:17 2024 +1000 Enable `slab_debug=FZ` +commit 4f7f82016015f61002ac8f778b61968c572dc7dc +Author: Raja Grewal +Date: Mon Aug 5 14:16:33 2024 +1000 + + Add reference + commit fa9091869d417c6494840d0cb32623037d70c8be Merge: 06f0c27 725118c Author: Patrick Schleizer @@ -197,6 +231,12 @@ Date: Sat Jul 27 12:13:18 2024 -0400 output +commit 144545762674e914046bb94100237329320e8ece +Author: Raja Grewal +Date: Sat Jul 27 14:00:30 2024 +1000 + + Show details regarding `secure_redirects` (again) + commit 73979d4342dae2017be52d5182bb66fa28be398d Author: Raja Grewal Date: Sat Jul 27 13:28:59 2024 +1000 @@ -601,6 +641,12 @@ Date: Wed Jul 24 09:13:48 2024 -0400 Merge remote-tracking branch 'ben-grande/fuzz' +commit 88c88187f2909322211cc08598717068ea7cf1d1 +Author: Raja Grewal +Date: Wed Jul 24 17:26:50 2024 +1000 + + Re-enable (default) `secure_redirects` for ICMP redirect messages + commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f Author: Ben Grande Date: Tue Jul 23 19:36:12 2024 +0200 diff --git a/debian/changelog b/debian/changelog index 50c5315..9f574d5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 15 Aug 2024 17:51:18 +0000 + security-misc (3:38.8-1) unstable; urgency=medium * New upstream version (local package).