** Description changed: A Nexpose scan of Ubuntu 16.04 lists a number of insecure configurations, including ICMP redirection, source routing, and forwarding. Inspection shows that net.ipv4.conf.default enables these things. RHEL 6 documentation suggests shutting down source routing, forwarding, and ICMP redirects of any kind, as per the below: https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide- Server_Security-Disable-Source-Routing.html Adjusting these settings can have detrimental effects on a live system. For example: disabling forwarding over the docker0 interface breaks Docker. As a sane default, I recommend loading default settings during system boot, which will create network interfaces with those settings and allow later processes to enable these features as-needed. - I recommend the following settings in /etc/sysctl.conf: + I recommend the following settings in /etc/sysctl.d/10-network- + security.conf: # Disable forwarding by default + # This disables mc_forwarding as well; writing to mc_forwarding causes an error net.ipv4.conf.default.forwarding=0 net.ipv6.conf.default.forwarding=0 - # Multicast forwarding - net.ipv4.conf.default.mc_forwarding=0 - net.ipv6.conf.default.mc_forwarding=0 # Do not accept ICMP redirects (prevent MITM attacks) + # This removes the secure_redirects sysctl net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 - net.ipv4.conf.default.secure_redirects = 0 - net.ipv6.conf.default.secure_redirects = 0 # Do not send ICMP redirects (we are not a router) net.ipv4.conf.default.send_redirects = 0 net.ipv6.conf.default.send_redirects = 0 # Do not accept IP source route packets (we are not a router) net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 - net.ipv4.conf.default.rp_filter=1 + Take note: Setting net.ipv4.conf.default.forwarding=0 here somehow doesn't have any effect; the other settings do. Uncertain if related to bug #84537. Restarting procps does set net.ipv4.conf.default.forwarding=0 correctly. - Take note: Setting net.ipv4.conf.default.forarding=0 here somehow doesn't have any effect; the other settings do. Perhaps bug #84537 is in effect? + /etc/ufw/sysctl.conf settings override these.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to procps in Ubuntu. https://bugs.launchpad.net/bugs/1676540 Title: Enable secure networking defaults in sysctl.conf Status in procps package in Ubuntu: New Bug description: A Nexpose scan of Ubuntu 16.04 lists a number of insecure configurations, including ICMP redirection, source routing, and forwarding. Inspection shows that net.ipv4.conf.default enables these things. RHEL 6 documentation suggests shutting down source routing, forwarding, and ICMP redirects of any kind, as per the below: https://access.redhat.com/documentation/en- US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide- Server_Security-Disable-Source-Routing.html Adjusting these settings can have detrimental effects on a live system. For example: disabling forwarding over the docker0 interface breaks Docker. As a sane default, I recommend loading default settings during system boot, which will create network interfaces with those settings and allow later processes to enable these features as- needed. I recommend the following settings in /etc/sysctl.d/10-network- security.conf: # Disable forwarding by default # This disables mc_forwarding as well; writing to mc_forwarding causes an error net.ipv4.conf.default.forwarding=0 net.ipv6.conf.default.forwarding=0 # Do not accept ICMP redirects (prevent MITM attacks) # This removes the secure_redirects sysctl net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Do not send ICMP redirects (we are not a router) net.ipv4.conf.default.send_redirects = 0 net.ipv6.conf.default.send_redirects = 0 # Do not accept IP source route packets (we are not a router) net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 Take note: Setting net.ipv4.conf.default.forwarding=0 here somehow doesn't have any effect; the other settings do. Uncertain if related to bug #84537. Restarting procps does set net.ipv4.conf.default.forwarding=0 correctly. /etc/ufw/sysctl.conf settings override these. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1676540/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
