-
-
Notifications
You must be signed in to change notification settings - Fork 634
Network stack
You can file an issue about it and ask that it be added.
-
Network stack
- IPv6 redirects
- IPv6 router advertisements
- IPv6 support automatic loading
- Source-routed packets
- Ignore bogus ICMP error responses
- Accepting ICMP redirects
- Use reverse path filtering
- Accepting secure redirects
- TCP Syncookies
- Log Martian packets
- ICMP broadcast echo requests
- IP forwarding
- Sending ICMP redirects
An illicit ICMP redirect message could result in a man-in-the-middle attack.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.accept_redirects = 0# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.default.accept_redirects = 0C2S/CIS: CCE-80181-1 (Unknown)
An illicit router advertisement message could result in a man-in-the-middle attack.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.default.accept_ra = 0C2S/CIS: CCE-80181-1 (Unknown)
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.accept_ra = 0C2S/CIS: CCE-80180-3 (Unknown)
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.disable_ipv6 = 1Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.accept_source_route = 0# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.accept_source_route = 0Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.icmp_ignore_bogus_error_responses = 1C2S/CIS: CCE-80166-2 (Unknown)
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.accept_redirects = 0# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.accept_redirects = 0Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.rp_filter = 1# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.rp_filter = 1Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.secure_redirects = 0# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.secure_redirects = 0A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state.
This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.accept_source_route = 0The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.log_martians = 1C2S/CIS: CCE-80161-3 (Unknown)
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.log_martians = 1C2S/CIS: CCE-80160-5 (Unknown)
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1C2S/CIS: CCE-80165-4 (Unknown)
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.ip_forward = 0ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.send_redirects = 0# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.send_redirects = 0The Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.