Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ======3.6.3 Ensure loopback traffic is configured (Scored)====== =====Profile Applicability===== <code> Level 1 - Server Level 1 - Workstation </code> =====Description===== Configure the loopback interface to accept traffic. Configure all other interfaces to deny traffic to the loopback network (127.0.0.0/8). =====Rationale===== Loopback traffic is generated between processes on machine and is typically critical to operation of the system. The loopback interface is the only place that loopback network (127.0.0.0/8) traffic should be seen, all other interfaces should ignore traffic on this network as an anti-spoofing measure. =====Audit===== Run the following commands and verify output includes the listed rules in order (packet and byte counts may differ): <Code:bash> # iptables -L INPUT -v -n Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 # iptables -L OUTPUT -v -n Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 </Code> =====Remediation===== Run the following commands to implement the loopback rules: <Code:bash> # iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT # iptables -A INPUT -s 127.0.0.0/8 -j DROP </Code> =====Notes===== Changing firewall settings while connected over network can result in being locked out of the system. \\ Remediation will only affect the active system firewall, be sure to configure the default policy in your firewall management to apply on boot as well. ubuntu1604/3/6/3.txt Last modified: 2017/05/02 14:13by Piotr Kłoczewski