启用 ufw 和 Tiger 安全审核员后,我看到警告:
The system accepts ICMP redirection messages
什么是 ICMP 重定向消息?出于安全目的,是否应禁用它们?如果是,那么使用 ufw 防火墙的正确方法是什么?
答案1
在某些情况下,ICMP 数据包可用于攻击网络。尽管这种类型的问题如今并不常见,但在某些情况下确实会发生此类问题。ICMP 重定向或 ICMP 类型 5 数据包就是这种情况。路由器使用 ICMP 重定向根据主机选择指定一个网络外的更好路由路径,因此它基本上会影响数据包的路由方式和目的地。
通过 ICMP 重定向,主机可以找出本地网络内可以访问哪些网络,以及每个此类网络要使用哪些路由器。安全问题源于 ICMP 数据包(包括 ICMP 重定向)极易伪造,攻击者基本上很容易伪造 ICMP 重定向数据包。
然后攻击者基本上可以改变主机的路由表,并通过他/她选择的路径将流量转发到外部主机;路由器会将新路径保持活动状态 10 分钟。鉴于这一事实以及此类情况所涉及的安全风险,建议禁用所有公共接口的 ICMP 重定向消息(忽略它们)。
您需要编辑该文件/etc/sysctl.conf
并改变
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
到
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
然后应用上述内核参数修改:
$ sudo sysctl -p
答案2
请注意,如果禁用转发(我们不是路由器),net.ipvX.conf.all.accept_redirects 的值将是 ORed 接口特定值,例如 net.ipvX.conf.eth0.accept_redirects。send_redirects 始终是 ORed。
完整的修复方法是:
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
为了使用“默认”设置,必须重新设置网络接口。