Skip to content

Network stack

Jump to bottom
phk918 edited this page Nov 7, 2019 · 6 revisions

You can file an issue about it and ask that it be added.

Table of Contents

Network stack

IPv6 redirects

Rationale

An illicit ICMP redirect message could result in a man-in-the-middle attack.

Solution

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.accept_redirects = 0

C2S/CIS: CCE-80183-7 (Medium)

By default
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.default.accept_redirects = 0

C2S/CIS: CCE-80181-1 (Unknown)

Useful resources

IPv6 router advertisements

Rationale

An illicit router advertisement message could result in a man-in-the-middle attack.

Solution

By default
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.default.accept_ra = 0

C2S/CIS: CCE-80181-1 (Unknown)

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.accept_ra = 0

C2S/CIS: CCE-80180-3 (Unknown)

Useful resources

IPv6 support automatic loading

Rationale

Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.

Solution

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.disable_ipv6 = 1

C2S/CIS: CCE-80175-3 (Medium)

Useful resources

Source-routed packets

Rationale

Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.

Solution

By default
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.accept_source_route = 0

C2S/CIS: CCE-80162-1 (Medium)

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.accept_source_route = 0

C2S/CIS: CCE-27434-0 (Medium)

Useful resources

Ignore bogus ICMP error responses

Rationale

Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.

Solution

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.icmp_ignore_bogus_error_responses = 1

C2S/CIS: CCE-80166-2 (Unknown)

Useful resources

Accepting ICMP redirects

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated.

Solution

By default
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.accept_redirects = 0

C2S/CIS: CCE-80158-9 (Medium)

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.accept_redirects = 0

C2S/CIS: CCE-80163-9 (Medium)

Useful resources

Use reverse path filtering

Rationale

Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on.

Solution

By default
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.rp_filter = 1

C2S/CIS: CCE-80168-8 (Medium)

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.rp_filter = 1

C2S/CIS: CCE-80167-0 (Medium)

Useful resources

Accepting secure redirects

Rationale

Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.

Solution

By default
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.secure_redirects = 0

C2S/CIS: CCE-80164-7 (Medium)

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.secure_redirects = 0

C2S/CIS: CCE-80159-7 (Medium)

Useful resources

TCP Syncookies

Rationale

A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state.

This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.

Solution

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.tcp_syncookies = 1

C2S/CIS: CCE-27495-1 (Medium)

Useful resources

Log Martian packets

Rationale

The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.

Solution

By default
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.log_martians = 1

C2S/CIS: CCE-80161-3 (Unknown)

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.log_martians = 1

C2S/CIS: CCE-80160-5 (Unknown)

Useful resources

ICMP broadcast echo requests

Rationale

Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.

Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.

Solution

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1

C2S/CIS: CCE-80165-4 (Unknown)

Useful resources

IP forwarding

Rationale

Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.

Solution

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.ip_forward = 0

C2S/CIS: CCE-80157-1 (Medium)

Useful resources

Sending ICMP redirects

Rationale

ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.

Solution

By default
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.send_redirects = 0

C2S/CIS: CCE-80156-3 (Medium)

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.send_redirects = 0

C2S/CIS: CCE-80156-3 (Medium)

Useful resources

Keep sockets in FIN-WAIT-2 state

Not available from C2S/CIS standard.

Rationale

The connection is being kept around so that any delayed packets can be matched to the connection and handled appropriately.

Decreasing this value can avoid some DDoS attacks or other problems (e.g. memory consuming) that arose from getting huge amounts of connections.

Solution

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.tcp_fin_timeout = 30

Sysctl Documentation

Comments

If you set too large value to tcp_fin_timeout, the system may become out of port, file-descripter and memory. If you set too small value, the system may leak delayed packets.

Useful resources

Keepalive packets to keep an connection alive

Not available from C2S/CIS standard.

Rationale

TCP keepalive keeps the connection open in case an error has happened. This kernel feature ensures that a TCP connection will be kept active by simulating traffic on it so it is not marked by the communication layer as inactive.

Solution

On all interfaces
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.tcp_keepalive_time = 180
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 3

Sysctl Documentation

Comments

Remember that keepalive support, even if configured in the kernel, is not the default behavior in Linux. Programs must request keepalive control for their sockets using the setsockopt interface.

High values can be especially harmful for expensive connections such as database connections.

Useful resources

The Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.

Basic information

Core Layer

Kernel Layer

Extended Layer

Logging & Auditing

System Services

Other Services

Containers

Clone this wiki locally