https://secscan.acron.pl/ 2026-04-17T02:47:17+00:00 https://secscan.acron.pl/ https://secscan.acron.pl/lib/tpl/bootstrap3/images/favicon.ico text/html 2017-05-03T16:01:34+00:00 Anonymous (anonymous@undisclosed.example.com) https://secscan.acron.pl/centos7/3/2/1?rev=1493820094&do=diff 3.2.1 Ensure source routed packets are not accepted (Scored) Profile Applicability Description In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used. text/html 2017-05-04T17:20:34+00:00 Anonymous (anonymous@undisclosed.example.com) https://secscan.acron.pl/centos7/3/2/2?rev=1493911234&do=diff 3.2.2 Ensure ICMP redirects are not accepted (Scored) Profile Applicability Description ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting text/html 2017-05-04T17:21:12+00:00 Anonymous (anonymous@undisclosed.example.com) https://secscan.acron.pl/centos7/3/2/3?rev=1493911272&do=diff 3.2.3 Ensure secure ICMP redirects are not accepted (Scored) Profile Applicability Description Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure. text/html 2017-05-04T17:21:24+00:00 Anonymous (anonymous@undisclosed.example.com) https://secscan.acron.pl/centos7/3/2/4?rev=1493911284&do=diff 3.2.4 Ensure suspicious packets are logged (Scored) Profile Applicability Description When enabled, this feature logs packets with un-routable source addresses to the kernel log. Rationale Enabling this feature and logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system. text/html 2017-05-04T17:21:38+00:00 Anonymous (anonymous@undisclosed.example.com) https://secscan.acron.pl/centos7/3/2/5?rev=1493911298&do=diff 3.2.5 Ensure broadcast ICMP requests are ignored (Scored) Profile Applicability Description Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses. text/html 2017-05-04T17:21:52+00:00 Anonymous (anonymous@undisclosed.example.com) https://secscan.acron.pl/centos7/3/2/6?rev=1493911312&do=diff 3.2.6 Ensure bogus ICMP responses are ignored (Scored) Profile Applicability Description Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages. text/html 2017-05-04T17:22:00+00:00 Anonymous (anonymous@undisclosed.example.com) https://secscan.acron.pl/centos7/3/2/7?rev=1493911320&do=diff 3.2.7 Ensure Reverse Path Filtering is enabled (Scored) Profile Applicability Description Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if text/html 2017-05-04T17:22:10+00:00 Anonymous (anonymous@undisclosed.example.com) https://secscan.acron.pl/centos7/3/2/8?rev=1493911330&do=diff 3.2.8 Ensure TCP SYN Cookies is enabled (Scored) Profile Applicability Description When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number …