A Nexpose scan of Ubuntu 16.04 lists a number of insecure configurations, including ICMP redirection, source routing, and forwarding. Inspection shows that net.ipv4.conf.default enables these things.
RHEL 6 documentation suggests shutting down source routing, forwarding, and ICMP redirects of any kind, as per the below:
Adjusting these settings can have detrimental effects on a live system. For example: disabling forwarding over the docker0 interface breaks Docker. As a sane default, I recommend loading default settings during system boot, which will create network interfaces with those settings and allow later processes to enable these features as-needed.
I recommend the following settings in /etc/sysctl.conf:
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.default.send_redirects = 0
net.ipv6.conf.default.send_redirects = 0
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.conf.default.rp_filter=1
Take note: Setting net.ipv4.conf.default.forarding=0 here somehow doesn't have any effect; the other settings do. Perhaps bug #84537 is in effect?
A Nexpose scan of Ubuntu 16.04 lists a number of insecure configurations, including ICMP redirection, source routing, and forwarding. Inspection shows that net.ipv4. conf.default enables these things.
RHEL 6 documentation suggests shutting down source routing, forwarding, and ICMP redirects of any kind, as per the below:
https:/ /access. redhat. com/documentati on/en-US/ Red_Hat_ Enterprise_ Linux/6/ html/Security_ Guide/sect- Security_ Guide-Server_ Security- Disable- Source- Routing. html
Adjusting these settings can have detrimental effects on a live system. For example: disabling forwarding over the docker0 interface breaks Docker. As a sane default, I recommend loading default settings during system boot, which will create network interfaces with those settings and allow later processes to enable these features as-needed.
I recommend the following settings in /etc/sysctl.conf:
# Disable forwarding by default conf.default. forwarding= 0 conf.default. forwarding= 0 conf.default. mc_forwarding= 0 conf.default. mc_forwarding= 0
net.ipv4.
net.ipv6.
# Multicast forwarding
net.ipv4.
net.ipv6.
# Do not accept ICMP redirects (prevent MITM attacks) conf.default. accept_ redirects = 0 conf.default. accept_ redirects = 0 conf.default. secure_ redirects = 0 conf.default. secure_ redirects = 0
net.ipv4.
net.ipv6.
net.ipv4.
net.ipv6.
# Do not send ICMP redirects (we are not a router) conf.default. send_redirects = 0 conf.default. send_redirects = 0
net.ipv4.
net.ipv6.
# Do not accept IP source route packets (we are not a router) conf.default. accept_ source_ route = 0 conf.default. accept_ source_ route = 0
net.ipv4.
net.ipv6.
net.ipv4. conf.default. rp_filter= 1
Take note: Setting net.ipv4. conf.default. forarding= 0 here somehow doesn't have any effect; the other settings do. Perhaps bug #84537 is in effect?