Merge "Fix IP config security violations in sysctl.conf"
This commit is contained in:
commit
7dec82cf5d
|
@ -42,23 +42,30 @@ net.ipv4.conf.all.rp_filter=1
|
|||
# Ignore ICMP broadcasts
|
||||
#net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
#
|
||||
# Ignore bogus ICMP errors
|
||||
#net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
# Set the runtime status of the net.ipv4.icmp_ignore_bogus_error_responses
|
||||
# kernel parameter to enable Kernel Parameter to Ignore Bogus ICMP Error
|
||||
# Responses on IPv4 Interfaces.
|
||||
# Ignoring bogus ICMP error responses reduces log size, although some
|
||||
# activity would not be logged.
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
#
|
||||
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||
#net.ipv4.conf.all.accept_redirects = 0
|
||||
#net.ipv6.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv6.conf.all.accept_redirects = 0
|
||||
# _or_
|
||||
# Accept ICMP redirects only for gateways listed in our default
|
||||
# gateway list (enabled by default)
|
||||
# net.ipv4.conf.all.secure_redirects = 1
|
||||
# Accepting "secure" ICMP redirects (from those gateways listed as default
|
||||
# gateways) has few legitimate uses. It should be disabled unless it is
|
||||
# absolutely required.
|
||||
net.ipv4.conf.all.secure_redirects = 0
|
||||
#
|
||||
# Do not send ICMP redirects (we are not a router)
|
||||
#net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
#
|
||||
# Do not accept IP source route packets (we are not a router)
|
||||
#net.ipv4.conf.all.accept_source_route = 0
|
||||
#net.ipv6.conf.all.accept_source_route = 0
|
||||
net.ipv6.conf.all.accept_source_route = 0
|
||||
#
|
||||
# Log Martian Packets
|
||||
#net.ipv4.conf.all.log_martians = 1
|
||||
|
@ -105,3 +112,43 @@ net.ipv4.ip_local_reserved_ports=35357,44134-44136
|
|||
# it in the code we control, but this will keep the number at a reasonable
|
||||
# size if an application is poorly behaved.
|
||||
fs.negative-dentry-limit=20
|
||||
# Set the runtime status of the - net.ipv6.conf.default.accept_redirects -
|
||||
# kernel parameter to disable Kernel Parameter for Accepting ICMP Redirects
|
||||
# by Default on IPv6 Interfaces.
|
||||
# An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||||
net.ipv6.conf.default.accept_redirects = 0
|
||||
|
||||
# Set the runtime status of the net.ipv4.conf.default.accept_redirects kernel
|
||||
# parameter, to disable Kernel Parameter for Accepting ICMP Redirects by Default
|
||||
# on IPv4 Interfaces.
|
||||
# ICMP redirect messages are used by routers to inform hosts that a more direct
|
||||
# route exists for a particular destination.
|
||||
# These messages modify the host's route table and are unauthenticated.
|
||||
# An illicit ICMP redirect message could result in a man-in-the-middle attack.
|
||||
# This feature of the IPv4 protocol has few legitimate uses. It should be
|
||||
# disabled unless absolutely required.
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
|
||||
# Set the runtime status of the net.ipv4.conf.default.send_redirects kernel
|
||||
# parameter, to disable Kernel Parameter for Sending ICMP Redirects on all
|
||||
# IPv4 Interfaces by Default.
|
||||
# ICMP redirect messages are used by routers to inform hosts that a more
|
||||
# direct route exists for a particular destination. These messages contain
|
||||
# information from the system's route table possibly revealing portions of
|
||||
# the network topology.
|
||||
# The ability to send ICMP redirects is only appropriate for systems acting
|
||||
# as routers.
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
|
||||
# Set the runtime status of the net.ipv6.conf.default.accept_ra kernel parameter
|
||||
# to disable Accepting Router Advertisements on all IPv6 Interfaces by Default
|
||||
# An illicit router advertisement message could result in a man-in-the-middle
|
||||
# attack.
|
||||
net.ipv6.conf.default.accept_ra = 0
|
||||
|
||||
# Set the runtime status of the net.ipv4.conf.default.secure_redirects kernel
|
||||
# parameter.
|
||||
# Accepting "secure" ICMP redirects (from those gateways listed as default
|
||||
# gateways) has few legitimate uses.
|
||||
# It should be disabled unless it is absolutely required.
|
||||
net.ipv4.conf.default.secure_redirects = 0
|
||||
|
|
Loading…
Reference in New Issue