LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/solrhe/Securing-Optimizing-Linux-R.../chap5sec57.html

247 lines
4.4 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Disable ICMP Redirect Acceptance</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
REL="HOME"
TITLE="Securing and Optimizing Linux"
HREF="index.html"><LINK
REL="UP"
TITLE="General System Security"
HREF="gen-syssecured.html"><LINK
REL="PREVIOUS"
TITLE="Enable TCP SYN Cookie Protection"
HREF="chap5sec56.html"><LINK
REL="NEXT"
TITLE="Enable always-defragging Protection"
HREF="chap5sec58.html"></HEAD
><BODY
CLASS="section"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="chap5sec56.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
>Chapter 5. General System Security</TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="chap5sec58.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="section"
><H1
CLASS="section"
><A
NAME="AEN4131"
>5.28. Disable ICMP Redirect Acceptance</A
></H1
><P
>&#13; When hosts use a non-optimal or defunct route to a particular destination, an ICMP redirect packet is used by routers to inform the hosts what the correct route
should be. If an attacker is able to forge <SPAN
CLASS="acronym"
>ICMP</SPAN
> redirect packets, he or she can alter the routing tables on the host and possibly subvert the
security of the host by causing traffic to flow via a path you didn't intend. It's strongly recommended to disable <SPAN
CLASS="acronym"
>ICMP</SPAN
> Redirect Acceptance to
protect your server from this hole.
<DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/Version6.1.gif"
ALT="version 6.1 only"
></IMG
></P
></DIV
>
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13; [root@deep] /# for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
&#62; echo 0 &#62; $f
&#62; done
</PRE
></TD
></TR
></TABLE
>
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /#
</PRE
></TD
></TR
></TABLE
>
Add the above commands to the <TT
CLASS="filename"
>/etc/rc.d/rc.local</TT
> script file and you'll not have to type it again the next time you reboot your system.
</P
><P
>&#13; <DIV
CLASS="mediaobject"
><P
><IMG
SRC="images/Version6.2.gif"
ALT="Version 6.2 only"
></IMG
></P
></DIV
>
Edit the <TT
CLASS="filename"
>/etc/sysctl.conf</TT
> file and add the following line:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="programlisting"
>&#13; # Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
</PRE
></TD
></TR
></TABLE
>
You must restart your network for the change to take effect. The command to restart manually the network is the following:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><PRE
CLASS="screen"
>&#13; [root@deep] /# /etc/rc.d/init.d/network restart
Setting network parameters [ OK ]
Bringing up interface lo [ OK ]
Bringing up interface eth0 [ OK ]
Bringing up interface eth1 [ OK ]
</PRE
></TD
></TR
></TABLE
>
Take Note that the above command for Red Hat Linux 6.1 or 6.2 will disable Redirect Acceptance Packets on all
your interfaces lo, ethN, pppN etc.
</P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="chap5sec56.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="chap5sec58.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Enable TCP SYN Cookie Protection</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="gen-syssecured.html"
>Up</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Enable always-defragging Protection</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink