search

Kicksecure / security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc
https://www.kicksecure.com/wiki/Impressum
Other
517 stars 51 forks source link

Re-enable (default) `secure_redirects` for ICMP redirect messages #248

Closed raja-grewal closed 3 months ago

raja-grewal commented 4 months ago

Previously going back even further than 4 years we have actually not enabled secure redirects for ICMP redirect messages over IPv4.

This error is also in Madaidan's guide.

However, this mistake has not resulted in any breakages since we do not accept ICMP redirects by default:

net.ipv4.conf.*.accept_redirects=0
net.ipv4.conf.*.send_redirects=0
net.ipv6.conf.*.accept_redirects=0

If these were to be commented-out and restored back to =1's, we would actually accept ICMP redirects for ALL gateways which is wrong!

See: https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked

Changes

net.ipv4.conf.*.secure_redirects=0 to net.ipv4.conf.*.secure_redirects=1

But net.ipv4.conf.*.secure_redirects=1 is the default and so we should actually just remove the incorrect systcl as they are redundant.

Mandatory Checklist

Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint

Optional Checklist

The following items are optional but might be requested in certain cases.

raja-grewal commented 4 months ago

I decided to show details regarding this sysctl again since I think it would be better for future maintenance.

adrelanos commented 3 months ago

This is confusing me a bit. So if we out comment the secure_redirects then it's still fine because all redirects are disabled.

If a user then would out-comment the disabling for all redirects, i.e. re-enable redirects, the user would end up with secure redirects only, which is better than accepting all redirects?

Or maybe best is to keep disabling "all redirects" (all, default, secure) but move these options closer to each other and document this better so if a user was to re-enable redirects the user would be informed about all vs "secure" only?

raja-grewal commented 3 months ago

Ok yes this is definitely not straight forward to understand at first glance.

Our current settings are perfectly fine as all redirects are disabled by default.

However, suppose a user decided to enable redirects by commenting out the following:

#net.ipv4.conf.all.accept_redirects=0
#net.ipv4.conf.default.accept_redirects=0
#net.ipv4.conf.all.send_redirects=0
#net.ipv4.conf.default.send_redirects=0
#net.ipv6.conf.all.accept_redirects=0
#net.ipv6.conf.default.accept_redirects=0

Then our current settings would actually allow redirects through all gateways because of:

net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0

What we actually want is redirects only through approved gateways which requires us set:

net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1

These bottom two are actually the kernel default and are the sensible setting. We have modified the default settings in a bad way.

We could remove those two sysctl's and go back to the default which was my first commit, then I decided to show them again just in case anybody comes to the repository from wondering why we are not following Madaidan etc.

Also in terms of moving the settings closer, they are currently merged in the README.md and right next to each other in the configuration file. Only way would be to merge them in the configuration file which as well I think would be confusing.

adrelanos commented 3 months ago

Since it's the default, best to comment these out and mention it's the default?

Also this default is unlikely to ever change.

And then explain all of this.

By moving closer together I mean changing from:

## Prevents man-in-the-middle attacks and minimizes information disclosure.
##
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing
## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html
## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
##
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

## Accept ICMP redirect messages only for approved gateways.
## If ICMP redirect messages are permitted, only useful if managing a default gateway list.
##
## https://github.com/Kicksecure/security-misc/pull/248
##
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1

To:

net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1
raja-grewal commented 3 months ago

Done. I have merged and commented out the default secure_redirects sysctl's. Also minimised the mentioning of them in the README as they are the default.