[Bug 1676540] Re: Enable secure networking defaults in sysctl.conf
John Moser
john.r.moser at gmail.com
Mon Mar 27 18:59:28 UTC 2017
** Description changed:
A Nexpose scan of Ubuntu 16.04 lists a number of insecure
configurations, including ICMP redirection, source routing, and
forwarding. Inspection shows that net.ipv4.conf.default enables these
things.
RHEL 6 documentation suggests shutting down source routing, forwarding,
and ICMP redirects of any kind, as per the below:
https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-
Server_Security-Disable-Source-Routing.html
Adjusting these settings can have detrimental effects on a live system.
For example: disabling forwarding over the docker0 interface breaks
Docker. As a sane default, I recommend loading default settings during
system boot, which will create network interfaces with those settings
and allow later processes to enable these features as-needed.
- I recommend the following settings in /etc/sysctl.conf:
+ I recommend the following settings in /etc/sysctl.d/10-network-
+ security.conf:
# Disable forwarding by default
+ # This disables mc_forwarding as well; writing to mc_forwarding causes an error
net.ipv4.conf.default.forwarding=0
net.ipv6.conf.default.forwarding=0
- # Multicast forwarding
- net.ipv4.conf.default.mc_forwarding=0
- net.ipv6.conf.default.mc_forwarding=0
# Do not accept ICMP redirects (prevent MITM attacks)
+ # This removes the secure_redirects sysctl
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
- net.ipv4.conf.default.secure_redirects = 0
- net.ipv6.conf.default.secure_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.default.send_redirects = 0
net.ipv6.conf.default.send_redirects = 0
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
- net.ipv4.conf.default.rp_filter=1
+ Take note: Setting net.ipv4.conf.default.forwarding=0 here somehow doesn't have any effect; the other settings do. Uncertain if related to bug #84537. Restarting procps does set net.ipv4.conf.default.forwarding=0 correctly.
- Take note: Setting net.ipv4.conf.default.forarding=0 here somehow doesn't have any effect; the other settings do. Perhaps bug #84537 is in effect?
+ /etc/ufw/sysctl.conf settings override these.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/1676540
Title:
Enable secure networking defaults in sysctl.conf
Status in procps package in Ubuntu:
New
Bug description:
A Nexpose scan of Ubuntu 16.04 lists a number of insecure
configurations, including ICMP redirection, source routing, and
forwarding. Inspection shows that net.ipv4.conf.default enables these
things.
RHEL 6 documentation suggests shutting down source routing,
forwarding, and ICMP redirects of any kind, as per the below:
https://access.redhat.com/documentation/en-
US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-
Server_Security-Disable-Source-Routing.html
Adjusting these settings can have detrimental effects on a live
system. For example: disabling forwarding over the docker0 interface
breaks Docker. As a sane default, I recommend loading default
settings during system boot, which will create network interfaces with
those settings and allow later processes to enable these features as-
needed.
I recommend the following settings in /etc/sysctl.d/10-network-
security.conf:
# Disable forwarding by default
# This disables mc_forwarding as well; writing to mc_forwarding causes an error
net.ipv4.conf.default.forwarding=0
net.ipv6.conf.default.forwarding=0
# Do not accept ICMP redirects (prevent MITM attacks)
# This removes the secure_redirects sysctl
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.default.send_redirects = 0
net.ipv6.conf.default.send_redirects = 0
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
Take note: Setting net.ipv4.conf.default.forwarding=0 here somehow doesn't have any effect; the other settings do. Uncertain if related to bug #84537. Restarting procps does set net.ipv4.conf.default.forwarding=0 correctly.
/etc/ufw/sysctl.conf settings override these.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1676540/+subscriptions
More information about the foundations-bugs
mailing list