From 7268d1ae146bb9aa5e23ee3330457a4eb5a71fd8 Mon Sep 17 00:00:00 2001 From: zshi Date: Wed, 29 Mar 2017 16:17:46 +0800 Subject: [PATCH] Add network sysctl tweaks for security * Disable Kernel Parameter for Sending ICMP Redirects: - net.ipv4.conf.default.send_redirects = 0 - net.ipv4.conf.all.send_redirects = 0 Rationale: An attacker could use a compromised host to send invalid ICMP redirects to other router devices in an attempt to corrupt routing and have users access a system set up by the attacker as opposed to a valid system. * Disable Kernel Parameter for Accepting ICMP Redirects: - net.ipv4.conf.default.accept_redirects = 0 Rationale: Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured. * Disable Kernel Parameter for secure ICMP Redirects: - net.ipv4.conf.default.secure_redirects = 0 - net.ipv4.conf.all.secure_redirects = 0 Rationale: Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure. * Enable Kernel Parameter to log suspicious packets: - net.ipv4.conf.default.log_martians = 1 - net.ipv4.conf.all.log_martians = 1 Rationale: Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. * Ensure IPv6 redirects are not accepted by Default - net.ipv6.conf.all.accept_redirects = 0 - net.ipv6.conf.default.accept_redirects = 0 Rationale: It is recommended that systems not accept ICMP redirects as they could be tricked into routing traffic to compromised machines. Setting hard routes within the system (usually a single default route to a trusted router) protects the system from bad routes. Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e Co-Authored-By: Luke Hinds Signed-off-by: zshi --- puppet/services/kernel.yaml | 18 ++++++++++++++++++ ...r-for-icmp-redirects-f325f91d71b58b5f.yaml | 19 +++++++++++++++++++ ...g-suspicious-packets-d5545586f917d2ca.yaml | 9 +++++++++ 3 files changed, 46 insertions(+) create mode 100644 releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml create mode 100644 releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index ee4c771f07..380fb88238 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -39,6 +39,20 @@ outputs: value: 5 net.ipv4.tcp_keepalive_time: value: 5 + net.ipv4.conf.default.send_redirects: + value: 0 + net.ipv4.conf.all.send_redirects: + value: 0 + net.ipv4.conf.default.accept_redirects: + value: 0 + net.ipv4.conf.default.secure_redirects: + value: 0 + net.ipv4.conf.all.secure_redirects: + value: 0 + net.ipv4.conf.default.log_martians: + value: 1 + net.ipv4.conf.all.log_martians: + value: 1 net.nf_conntrack_max: value: 500000 net.netfilter.nf_conntrack_max: @@ -52,6 +66,10 @@ outputs: value: 0 net.ipv6.conf.default.autoconf: value: 0 + net.ipv6.conf.default.accept_redirects: + value: 0 + net.ipv6.conf.all.accept_redirects: + value: 0 net.core.netdev_max_backlog: value: 10000 kernel.pid_max: diff --git a/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml new file mode 100644 index 0000000000..0f226a847b --- /dev/null +++ b/releasenotes/notes/disable-kernel-parameter-for-icmp-redirects-f325f91d71b58b5f.yaml @@ -0,0 +1,19 @@ +--- +upgrade: + - The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects + are now set to 0 to prevent a compromised host from sending invalid ICMP + redirects to other router devices. + - The net.ipv4.conf.default.accept_redirects, + net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects + are now set to 0 to prevent forged ICMP packet from altering host's routing + tables. + - The net.ipv4.conf.default.secure_redirects & + net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance + of secure ICMP redirected packets. +security: + - Invalide ICMP redirects may corrupt routing and have users access a system + set up by the attacker as opposed to a valid system. + - Routing tables may be altered by bogus ICMP redirect messages and send + packets to incorrect networks. + - Secure ICMP redirects are the same as ICMP redirects, except they come from + gateways listed on the default gateway list. diff --git a/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml new file mode 100644 index 0000000000..bb2543f2ae --- /dev/null +++ b/releasenotes/notes/enable-logging-suspicious-packets-d5545586f917d2ca.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are + now set to 1 to enable logging of suspicious packets. +security: + - | + Logging of suspicious packets allows an administrator to investigate the + spoofed packets sent to their system.