Package: propcs Version: 1:3.2.5-1 Priority: wishlist Tags: patch The current /etc/sysctl.conf is very brief on the options that might be useful to enable (security-wise) in a Debian system. Attached is a proposed improvement (based on a contribution from Will Moy) that I'm going to provide in the Securing Debian Manual.
It could be useful for other admins to prevent them from digging out these kernel options so I'm attaching it for consideration for inclusion in the package. Regards Javier
# # /etc/sysctl.conf - Configuration file for setting system variables # See sysctl.conf (5) for information. # # # Be warned that /etc/init.d/procps is executed to set the following # variables. However, after that, /etc/init.d/networking sets some # network options with builtin values. These values may be overridden # using /etc/network/options. # #kernel.domainname = example.com #net/ipv4/icmp_echo_ignore_broadcasts=1 # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # Ignore ICMP broadcasts #net/ipv4/icmp_echo_ignore_broadcasts = 1 # # Ignore bogus ICMP errors #net/ipv4/icmp_ignore_bogus_error_responses = 1 # # Do not accept ICMP redirects (prevent MITM attacks) #net/ipv4/conf/all/accept_redirects = 0 # # Do not send ICMP redirects (we are not a router) #net/ipv4/conf/all/send_redirects = 0 # # Do not forward IP packets (we are not a router) # Note: Make sure that /etc/network/options has 'ip_forward=no' #net/ipv4/ip_forward = 0 # # Do not accept IP source route packets (we are not a router) #net/ipv4/conf/all/accept_source_route = 0 # # Enable TCP Syn Cookies # Note: Make sure that /etc/network/options has 'syncookies=yes' #net/ipv4/tcp_syncookies = 1 # # Log Martian Packets #net/ipv4/conf/all/log_martians = 1 # # Always defragment packets #net/ipv4/ip_always_defrag = 1 # # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks # Note: Make sure that /etc/network/options has 'spoofprotect=yes' #net/ipv4/conf/all/rp_filter = 1 #
signature.asc
Description: Digital signature
