Network stack
You can file an issue about it and ask that it be added.
-
Network stack
- IPv6 redirects
- IPv6 router advertisements
- IPv6 support automatic loading
- Source-routed packets
- Ignore bogus ICMP error responses
- Accepting ICMP redirects
- Use reverse path filtering
- Accepting secure redirects
- TCP Syncookies
- Log Martian packets
- ICMP broadcast echo requests
- IP forwarding
- Sending ICMP redirects
- Keep sockets in FIN-WAIT-2 state
- Keepalive packets to keep an connection alive
An illicit ICMP redirect message could result in a man-in-the-middle attack.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.accept_redirects = 0# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.default.accept_redirects = 0C2S/CIS: CCE-80181-1 (Unknown)
An illicit router advertisement message could result in a man-in-the-middle attack.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.default.accept_ra = 0C2S/CIS: CCE-80181-1 (Unknown)
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.accept_ra = 0C2S/CIS: CCE-80180-3 (Unknown)
Any unnecessary network stacks - including IPv6 - should be disabled, to reduce the vulnerability to exploitation.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv6.conf.all.disable_ipv6 = 1Source-routed packets allow the source of the packet to suggest routers forward the packet along a different path than configured on the router, which can be used to bypass network security measures.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.accept_source_route = 0# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.accept_source_route = 0Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.icmp_ignore_bogus_error_responses = 1C2S/CIS: CCE-80166-2 (Unknown)
ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages modify the host's route table and are unauthenticated.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.accept_redirects = 0# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.accept_redirects = 0Enabling reverse path filtering drops packets with source addresses that should not have been able to be received on the interface they were received on.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.rp_filter = 1# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.rp_filter = 1Accepting "secure" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.secure_redirects = 0# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.secure_redirects = 0A TCP SYN flood attack can cause a denial of service by filling a system's TCP connection table with connections in the SYN_RCVD state.
This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.tcp_syncookies = 1The presence of "martian" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.log_martians = 1C2S/CIS: CCE-80161-3 (Unknown)
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.log_martians = 1C2S/CIS: CCE-80160-5 (Unknown)
Responding to broadcast (ICMP) echoes facilitates network mapping and provides a vector for amplification attacks.
Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.icmp_echo_ignore_broadcasts = 1C2S/CIS: CCE-80165-4 (Unknown)
Routing protocol daemons are typically used on routers to exchange network topology information with other routers. If this capability is used when not required, system network information may be unnecessarily transmitted across the network.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.ip_forward = 0ICMP redirect messages are used by routers to inform hosts that a more direct route exists for a particular destination. These messages contain information from the system's route table possibly revealing portions of the network topology.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.default.send_redirects = 0# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.conf.all.send_redirects = 0Not available from C2S/CIS standard.
The connection is being kept around so that any delayed packets can be matched to the connection and handled appropriately.
Decreasing this value can avoid some DDoS attacks or other problems (e.g. memory consuming) that arose from getting huge amounts of connections.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.tcp_fin_timeout = 30If you set too large value to tcp_fin_timeout, the system may become out of port, file-descripter and memory. If you set too small value, the system may leak delayed packets.
Not available from C2S/CIS standard.
TCP keepalive keeps the connection open in case an error has happened. This kernel feature ensures that a TCP connection will be kept active by simulating traffic on it so it is not marked by the communication layer as inactive.
# Add to /etc/sysctl.d/network-stack.conf
net.ipv4.tcp_keepalive_time = 180
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 3Remember that keepalive support, even if configured in the kernel, is not the default behavior in Linux. Programs must request keepalive control for their sockets using the setsockopt interface.
High values can be especially harmful for expensive connections such as database connections.
The Practical Linux Hardening Guide provides a high-level overview of the hardening GNU/Linux systems. It is not an official standard or handbook but it touches and use industry standards.