3.2.2 Ensure ICMP redirects are not accepted (Scored)

Level 1 - Server
Level 1 - Workstation 

ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting ““net.ipv4.conf.all.accept_redirects”” to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables.

Attackers could use bogus ICMP redirect messages to maliciously alter the system routing tables and get them to send packets to incorrect networks and allow your system packets to be captured.

Run the following command and verify output matches:

# sysctl net.ipv4.conf.all.accept_redirects 
net.ipv4.conf.all.accept_redirects = 0 
# sysctl net.ipv4.conf.default.accept_redirects 
net.ipv4.conf.default.accept_redirects = 0

Set the following parameter in the “/etc/sysctl.conf” file:

net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.default.accept_redirects = 0

Run the following commands to set the active kernel parameters:

# sysctl -w net.ipv4.conf.all.accept_redirects=0 
# sysctl -w net.ipv4.conf.default.accept_redirects=0 
# sysctl -w net.ipv4.route.flush=1
  • ubuntu1604/3/2/2.txt
  • Last modified: 2017/05/04 17:20
  • by Piotr Kłoczewski