Enable secure networking defaults in sysctl.conf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
procps (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
A Nexpose scan of Ubuntu 16.04 lists a number of insecure configurations, including ICMP redirection, source routing, and forwarding. Inspection shows that net.ipv4.
RHEL 6 documentation suggests shutting down source routing, forwarding, and ICMP redirects of any kind, as per the below:
Adjusting these settings can have detrimental effects on a live system. For example: disabling forwarding over the docker0 interface breaks Docker. As a sane default, I recommend loading default settings during system boot, which will create network interfaces with those settings and allow later processes to enable these features as-needed.
I recommend the following settings in /etc/sysctl.
# Disable forwarding by default
# This disables mc_forwarding as well; writing to mc_forwarding causes an error
net.ipv4.
net.ipv6.
# Do not accept ICMP redirects (prevent MITM attacks)
# This removes the secure_redirects sysctl
net.ipv4.
net.ipv6.
# Do not send ICMP redirects (we are not a router)
net.ipv4.
net.ipv6.
# Do not accept IP source route packets (we are not a router)
net.ipv4.
net.ipv6.
Take note: Setting net.ipv4.
/etc/ufw/
description: | updated |
It's Docker. Docker sets net.ipv4. conf.default. forwarding= 1 when it starts the first time, then creates docker0. If you restart docker, it doesn't set this default.
That warrants another bug.