What IPv4 network hardening sysctls are available in RHEL?

Solution Verified - Updated -

Red Hat Lightspeed can detect this issue

Proactively detect and remediate issues impacting your systems.
View matching systems and remediation

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Red Hat Enterprise Linux 10

Issue

  • The following sysctl settings and parameters are not secure.

Resolution

The following settings are considered non-secure.

#net.ipv4.icmp_echo_ignore_broadcasts = 0
#net.ipv4.icmp_ignore_bogus_error_responses = 0
#net.ipv4.tcp_syncookies = 0
#net.ipv4.conf.all.send_redirects = 1
#net.ipv4.conf.default.send_redirects = 1
#net.ipv4.conf.all.accept_redirects = 1
#net.ipv4.conf.default.accept_redirects = 1
  • net.ipv4.icmp_echo_ignore_broadcasts = 0: When set to 0, the system can respond to ICMP echo requests sent to broadcast addresses.
  • net.ipv4.icmp_ignore_bogus_error_responses = 0: Setting this to 0 means the system will process ICMP error responses even if they are considered invalid.
  • net.ipv4.tcp_syncookies = 0: When set to 0, the system does not use syncookies for handling TCP SYN flood attacks.
  • net.ipv4.conf.all.send_redirects = 1: This enables the system to send ICMP redirect messages from all interfaces.
  • net.ipv4.conf.default.send_redirects = 1: Similar to the previous setting, this enables sending ICMP redirect messages, but for the default interface.
  • net.ipv4.conf.all.accept_redirects = 1: When set to 1, the system accepts ICMP redirect messages from all interfaces.
  • net.ipv4.conf.default.accept_redirects = 1: Similar to the previous setting, this allows accepting ICMP redirect messages, but for the default interface.

Recommendations:

- It is set at the OS level by default.

#net.ipv4.icmp_echo_ignore_broadcasts = 1
#net.ipv4.icmp_ignore_bogus_error_responses = 1
#net.ipv4.tcp_syncookies = 1

- This can be altered as follows.

#net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.default.send_redirects = 0
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv4.conf.default.accept_redirects = 0
  • net.ipv4.icmp_echo_ignore_broadcasts = 1: This setting prevents the system from responding to ICMP echo requests sent to broadcast addresses.
  • net.ipv4.icmp_ignore_bogus_error_responses = 1: This setting helps to ignore ICMP error responses that may be considered invalid.
  • net.ipv4.tcp_syncookies = 1: When this setting is enabled, the system uses syncookies to handle TCP SYN flood attacks.
  • net.ipv4.conf.all.send_redirects = 0: This disables sending ICMP redirect messages from all interfaces.
  • net.ipv4.conf.default.send_redirects = 0: Similar to the previous setting, this disables sending ICMP redirect messages, but for the default interface.
  • net.ipv4.conf.all.accept_redirects = 0: This prevents the system from accepting ICMP redirect messages from all interfaces.
  • net.ipv4.conf.default.accept_redirects = 0: Similar to the previous setting, this prevents accepting ICMP redirect messages, but for the default interface.

NOTE: For the following settings, we only consider them non-secure when the host is not a router ('net.ipv4.ip_forward == 0')

#net.ipv4.conf.all.send_redirects = 1
#net.ipv4.conf.default.send_redirects = 1
#net.ipv4.conf.all.accept_redirects = 1
#net.ipv4.conf.default.accept_redirects = 1

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments