Merge branch 'Kicksecure:master' into docs

2025-04-26 09:49:10 -04:00 · 2024-08-16 11:45:43 +10:00 · 2024-08-16 11:45:43 +10:00 · be9308e490
commit be9308e490
parent 73db68dbf9 4bc12b07b4
4 changed files with 62 additions and 9 deletions
--- a/README.md
+++ b/README.md
@ -79,9 +79,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
 - Enable reverse path filtering (source validation) of packets received
  from all interfaces to prevent IP spoofing.

- Disable ICMP redirect acceptance and redirect sending messages to
-  prevent man-in-the-middle attacks and minimize information disclosure. If
-  ICMP redirect messages are permitted, only do so from approved gateways.
+- Disable ICMP redirect acceptance and redirect sending messages to prevent
+  man-in-the-middle attacks and minimize information disclosure.

 - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.

--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,31 @@
+commit 9e61e37c17524b57f185b796f2ac19ba193205a8
+Merge: 89e816d dfd1c97
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Aug 15 13:47:33 2024 -0400
+
+    Merge remote-tracking branch 'github-kicksecure/master'
+
+commit dfd1c97168249b229495cbd873d4d8493e244663
+Merge: 89e816d ec3038c
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Thu Aug 15 13:46:30 2024 -0400
+
+    Merge pull request #248 from raja-grewal/secure_redirects
+    
+    Re-enable (default) `secure_redirects` for ICMP redirect messages
+
+commit ec3038c7bc625f6c8eddb753ffe295ff2697a717
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Wed Aug 7 13:48:53 2024 +1000
+
+    Clarify `secure_redirects`
+
+commit 89e816dda6c5a00512b276071c4d9fe108ee63b5
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Tue Aug 6 14:01:39 2024 +0000
+
+    bumped changelog version
+
 commit 967f9e257b09bc73ddb579292d507f7cb9832643
 Merge: fa90918 a25aaf9
 Author: Patrick Schleizer <adrelanos@whonix.org>
@ -65,6 +93,12 @@ Date:   Mon Aug 5 14:27:17 2024 +1000

    Enable `slab_debug=FZ`

+commit 4f7f82016015f61002ac8f778b61968c572dc7dc
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Mon Aug 5 14:16:33 2024 +1000
+
+    Add reference
+
 commit fa9091869d417c6494840d0cb32623037d70c8be
 Merge: 06f0c27 725118c
 Author: Patrick Schleizer <adrelanos@whonix.org>
@ -197,6 +231,12 @@ Date:   Sat Jul 27 12:13:18 2024 -0400

    output

+commit 144545762674e914046bb94100237329320e8ece
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Sat Jul 27 14:00:30 2024 +1000
+
+    Show details regarding `secure_redirects` (again)
+
 commit 73979d4342dae2017be52d5182bb66fa28be398d
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Sat Jul 27 13:28:59 2024 +1000
@ -601,6 +641,12 @@ Date:   Wed Jul 24 09:13:48 2024 -0400

    Merge remote-tracking branch 'ben-grande/fuzz'

+commit 88c88187f2909322211cc08598717068ea7cf1d1
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Wed Jul 24 17:26:50 2024 +1000
+
+    Re-enable (default) `secure_redirects` for ICMP redirect messages
+
 commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f
 Author: Ben Grande <ben.grande.b@gmail.com>
 Date:   Tue Jul 23 19:36:12 2024 +0200
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+security-misc (3:38.9-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Thu, 15 Aug 2024 17:51:18 +0000
+
 security-misc (3:38.8-1) unstable; urgency=medium

  * New upstream version (local package).
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -284,8 +284,14 @@ net.ipv4.conf.default.rp_filter=1

 ## Disable ICMP redirect acceptance and redirect sending messages.
 ## Prevents man-in-the-middle attacks and minimizes information disclosure.
+## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default).
+## Approving gateways requires the managing of a default gateway list.
 ##
+## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing
+## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
+## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html
 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
+## https://github.com/Kicksecure/security-misc/pull/248
 ##
 net.ipv4.conf.all.accept_redirects=0
 net.ipv4.conf.default.accept_redirects=0
@ -293,12 +299,8 @@ net.ipv4.conf.all.send_redirects=0
 net.ipv4.conf.default.send_redirects=0
 net.ipv6.conf.all.accept_redirects=0
 net.ipv6.conf.default.accept_redirects=0
-
-## Accept ICMP redirect messages only for approved gateways.
-## If ICMP redirect messages are permitted, only useful if managing a default gateway list.
-##
-net.ipv4.conf.all.secure_redirects=0
-net.ipv4.conf.default.secure_redirects=0
+#net.ipv4.conf.all.secure_redirects=1
+#net.ipv4.conf.default.secure_redirects=1

 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.