什么是ICMP重定向,是否应将其阻止?

22

在启用ufw和Tiger安全审核员之后,我看到警告说:

The system accepts ICMP redirection messages

什么是ICMP重定向消息?是否应该出于安全目的禁用它们?如果是这样,使用ufw防火墙的正确方法是什么?

networking  security  firewall  ufw 
杰尔迪奥科
source

Answers:

28

根据这篇文章

在某些情况下,ICMP数据包可用于攻击网络。尽管这种类型的问题在今天并不常见,但是在某些情况下确实会发生这种问题。ICMP重定向或ICMP Type 5数据包就是这种情况。路由器使用ICMP重定向来根据主机选择指定一个网络中更好的路由路径,因此从根本上说,它会影响数据包的路由方式和目的地。

通过ICMP重定向,主机可以找出可以从本地网络内访问哪些网络,以及用于每个此类网络的路由器。安全问题来自这样一个事实,即包括ICMP重定向在内的ICMP数据包非常容易被伪造,并且基本上,攻击者伪造ICMP重定向数据包也相当容易。

然后,攻击者可以从根本上改变主机的路由表,并将流量分配到他/她选择的路径上的外部主机;路由器将新路径保持活动状态10分钟。由于这个事实以及这种情况下涉及的安全风险,仍然建议您从所有公共接口禁用ICMP重定向消息(忽略它们)。

您需要编辑文件 /etc/sysctl.conf

并改变

###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0

然后通过以下方法应用上面的内核参数修改:

$ sudo sysctl -p
曼尼什·辛哈(Manish Sinha)
source
谢谢。您可能还需要取消注释这些行,不是吗?:)
jrdioko
哦是的 我的错。更新了它。
Manish Sinha
4
您必须执行此操作以接受更改:sudo sysctl -p
我不认为将net.ipv4.conf.all.accept_redirects设置为0不会做任何事情。注意文件中的or_。如果我正在正确阅读secure_redirects [ Frozentux.net/ipsysctl-tutorial/chunkyhtml/… ],则它将覆盖net.ipv4.conf.all.accept_redirects = 0
gerardw '18
3

请注意,如果禁用转发(我们不是路由器),则net.ipvX.conf.all.accept_redirects的值将是ORed特定于接口的值,例如net.ipvX.conf.eth0.accept_redirects。send_redirects始终为ORed。

完整修复将是:

net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

为了使用“默认”设置,必须重新设置网络接口。

马雷克
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.