20 lines
980 B
YAML
20 lines
980 B
YAML
---
|
|
upgrade:
|
|
- The net.ipv4.conf.default.send_redirects & net.ipv4.conf.all.send_redirects
|
|
are now set to 0 to prevent a compromised host from sending invalid ICMP
|
|
redirects to other router devices.
|
|
- The net.ipv4.conf.default.accept_redirects,
|
|
net.ipv6.conf.default.accept_redirects & net.ipv6.conf.all.accept_redirects
|
|
are now set to 0 to prevent forged ICMP packet from altering host's routing
|
|
tables.
|
|
- The net.ipv4.conf.default.secure_redirects &
|
|
net.ipv4.conf.all.secure_redirects are now set to 0 to disable acceptance
|
|
of secure ICMP redirected packets.
|
|
security:
|
|
- Invalide ICMP redirects may corrupt routing and have users access a system
|
|
set up by the attacker as opposed to a valid system.
|
|
- Routing tables may be altered by bogus ICMP redirect messages and send
|
|
packets to incorrect networks.
|
|
- Secure ICMP redirects are the same as ICMP redirects, except they come from
|
|
gateways listed on the default gateway list.
|