问题描述
启用 ufw 和 Tiger 安全审计器后,我看到警告说:
The system accepts ICMP redirection messages
什么是 ICMP 重定向消息?出于安全目的是否应该禁用它们?如果是这样,使用 ufw 防火墙的正确方法是什么?
最佳思路
\\n
There are certain cases where ICMP packets can be used to attack a network. Although this type of problem is not common today, there are situations where such problems do happen. This is the case with ICMP redirect, or ICMP Type 5 packet. ICMP redirects are used by routers to specify better routing paths out of one network, based on the host choice, so basically it affects the way packets are routed and destinations.
\\n
Through ICMP redirects, a host can find out which networks can be accessed from within the local network, and which are the routers to be used for each such network. The security problem comes from the fact that ICMP packets, including ICMP redirect, are extremely easy to fake and basically it would be rather easy for an attacker to forge ICMP redirect packets.
\\n
The atacker can then on basically alter your host’s routing tables and diver traffic towards external hosts on a path of his/her choice; the new path is kept active by the router for 10 minutes. Due to this fact and the security risks involved in such scenario, it is still a recommended practice to disable ICMP redirect messages (ignore them) from all public interfaces.
\\n
您需要编辑文件 /etc/sysctl.conf
和改变
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
至
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
然后应用上面的内核参数修改:
$ sudo sysctl -p
次佳思路
请注意,如果禁用转发(我们不是路由器),net.ipvX.conf.all.accept_redirects 的值将是 ORed interface-specific 值,例如net.ipvX.conf.eth0.accept_redirects。 send_redirects 始终为 ORed。
完整的修复将是:
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
为了使用 ‘default’ 设置,必须重新设置网络接口。