Add network sysctl tweaks for security

* Disable Kernel Parameter for Sending ICMP Redirects:
    - net.ipv4.conf.default.send_redirects = 0
    - net.ipv4.conf.all.send_redirects = 0

    Rationale: An attacker could use a compromised host
    to send invalid ICMP redirects to other router devices
    in an attempt to corrupt routing and have users access
    a system set up by the attacker as opposed to a valid
    system.

* Disable Kernel Parameter for Accepting ICMP Redirects:
    - net.ipv4.conf.default.accept_redirects = 0

    Rationale: Attackers could use bogus ICMP redirect
    messages to maliciously alter the system routing tables
    and get them to send packets to incorrect networks and
    allow your system packets to be captured.

* Disable Kernel Parameter for secure ICMP Redirects:
    - net.ipv4.conf.default.secure_redirects = 0
    - net.ipv4.conf.all.secure_redirects = 0

    Rationale: Secure ICMP redirects are the same as ICMP
    redirects, except they come from gateways listed on
    the default gateway list. It is assumed that these
    gateways are known to your system, and that they are
    likely to be secure.

* Enable Kernel Parameter to log suspicious packets:
    - net.ipv4.conf.default.log_martians = 1
    - net.ipv4.conf.all.log_martians = 1

    Rationale: Enabling this feature and logging these packets
    allows an administrator to investigate the possibility
    that an attacker is sending spoofed packets to their system.

* Ensure IPv6 redirects are not accepted by Default
    - net.ipv6.conf.all.accept_redirects = 0
    - net.ipv6.conf.default.accept_redirects = 0

    Rationale: It is recommended that systems not accept ICMP
    redirects as they could be tricked into routing traffic to
    compromised machines. Setting hard routes within the system
    (usually a single default route to a trusted router) protects
    the system from bad routes.

Change-Id: I2e8ab3141ee37ee6dd5a23d23dbb97c93610ea2e
Co-Authored-By: Luke Hinds <lhinds@redhat.com>
Signed-off-by: zshi <zshi@redhat.com>
This commit is contained in:
zshi 2017-03-29 16:17:46 +08:00
parent 85cf5d0e98
commit 7268d1ae14
3 changed files with 46 additions and 0 deletions

View File

@ -39,6 +39,20 @@ outputs:
value: 5 value: 5
net.ipv4.tcp_keepalive_time: net.ipv4.tcp_keepalive_time:
value: 5 value: 5
net.ipv4.conf.default.send_redirects:
value: 0
net.ipv4.conf.all.send_redirects:
value: 0
net.ipv4.conf.default.accept_redirects:
value: 0
net.ipv4.conf.default.secure_redirects:
value: 0
net.ipv4.conf.all.secure_redirects:
value: 0
net.ipv4.conf.default.log_martians:
value: 1
net.ipv4.conf.all.log_martians:
value: 1
net.nf_conntrack_max: net.nf_conntrack_max:
value: 500000 value: 500000
net.netfilter.nf_conntrack_max: net.netfilter.nf_conntrack_max:
@ -52,6 +66,10 @@ outputs:
value: 0 value: 0
net.ipv6.conf.default.autoconf: net.ipv6.conf.default.autoconf:
value: 0 value: 0
net.ipv6.conf.default.accept_redirects:
value: 0
net.ipv6.conf.all.accept_redirects:
value: 0
net.core.netdev_max_backlog: net.core.netdev_max_backlog:
value: 10000 value: 10000
kernel.pid_max: kernel.pid_max:

View File

@ -0,0 +1,19 @@
---
upgrade:
- The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects
are now set to 0 to prevent a compromised host from sending invalid ICMP
redirects to other router devices.
- The net.ipv4.conf.default.accept_redirects,
net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects
are now set to 0 to prevent forged ICMP packet from altering host's routing
tables.
- The net.ipv4.conf.default.secure_redirects &
net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance
of secure ICMP redirected packets.
security:
- Invalide ICMP redirects may corrupt routing and have users access a system
set up by the attacker as opposed to a valid system.
- Routing tables may be altered by bogus ICMP redirect messages and send
packets to incorrect networks.
- Secure ICMP redirects are the same as ICMP redirects, except they come from
gateways listed on the default gateway list.

View File

@ -0,0 +1,9 @@
---
upgrade:
- |
The net.ipv4.conf.default.log_martians & net.ipv4.conf.all.log_martians are
now set to 1 to enable logging of suspicious packets.
security:
- |
Logging of suspicious packets allows an administrator to investigate the
spoofed packets sent to their system.