Your message dated Sun, 25 May 2025 19:16:06 +0200 with message-id <53602d88517aa08e8a23d50de5329aaf315748b2.camel@decadent.org.uk> and subject line Re: Bug#572712: use hardened sysctl net.* settings per default has caused the Debian Bug report #572712, regarding use hardened sysctl net.* settings per default to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 572712: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572712 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: use hardened sysctl net.* settings per default
- From: Christoph Anton Mitterer <calestyo@scientia.net>
- Date: Fri, 05 Mar 2010 21:25:49 +0100
- Message-id: <1267820749.4491.72.camel@fermat.scientia.net>
Package: procps Version: 1:3.2.8-7 Severity: wishlist Hi. I think it would be a good idea to use at least the settings blow per default: net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 At least rp_filter should not have effect for most systems, even for routers, right? I'm not an expert how much the other would affect Debian boxes used as a router but: 1) The vast majority of Debian installations are NOT used as rooter 2) It's better to ship hardened settings per default, even if this "breaks" some things. 3) As the "broken" things are usually special setups (e.g. router) people that need them should be aware of what they're doing, and thus be able to set the sysctl settings they need. The "normal" end-user does usually however not know of these settings, their security impact and whether or not he should set them. Cheers, Chris. btw: I'd also suggest to activate syncookies per default, but this is already requested in #520668. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-fermat (SMP w/4 CPU cores; PREEMPT) Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages procps depends on: ii initscripts 2.87dsf-8.1 scripts for initializing and shutt ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libncurses5 5.7+20090803-2 shared libraries for terminal hand ii libncursesw5 5.7+20090803-2 shared libraries for terminal hand ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip Versions of packages procps recommends: ii psmisc 22.10-1 utilities that use the proc file s procps suggests no packages. -- no debconf informationAttachment: smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
--- Begin Message ---
- To: 572712-done@bugs.debian.org
- Subject: Re: Bug#572712: use hardened sysctl net.* settings per default
- From: Ben Hutchings <ben@decadent.org.uk>
- Date: Sun, 25 May 2025 19:16:06 +0200
- Message-id: <53602d88517aa08e8a23d50de5329aaf315748b2.camel@decadent.org.uk>
- In-reply-to: <58ff2934a65c4ad19b1853c85a90eb0b88ad75ec.camel@scientia.org>
- References: <1267820749.4491.72.camel@fermat.scientia.net> <20100306231111.GB9908@enc.com.au> <20100530172958.GA3779@galadriel.inutil.org> <1275323355.3155.71.camel@fermat.scientia.net> <20100710123736.GA2587@galadriel.inutil.org> <20100710132314.GA5570@wavehammer.waldi.eu.org> <f9ebeba969ffeaeef85527fef88fd633cc4c6f52.camel@decadent.org.uk> <58ff2934a65c4ad19b1853c85a90eb0b88ad75ec.camel@scientia.org>
On Mon, 2024-07-15 at 02:53 +0200, Christoph Anton Mitterer wrote: > Hey Ben. > > Nice to see a package for that :-) > > On Tue, 2024-06-25 at 00:46 +0200, Ben Hutchings wrote: > > > net.ipv4.conf.all.rp_filter=1 > > > > This is (effectively) set to 2 by the new configuration. > > Just wondered why not using 1? > AFAIU, the RFC would recommend strict mode (1). Does that break > anything that is widely used? > I've used 1 on workstations and servers for over a decade now and never > really noticed any issues. This is a conservative setting that should work everywhere. The kernel documentation says: "If using asymmetric routing or other complicated routing, then loose mode is recommended." We could potentially put some more restrictive settings in a second file, that could then be suppressed by a corresponding file in /etc without affecting those in 50-default.conf. > > > net.ipv4.conf.all.accept_redirects = 0 > > > > This is not set by the new configuration. The kernel default for > > this > > is the inverse of net.ipv4.conf.all.forwarding, so it will be set on > > routers but not hosts. > > Sure about that? The kernel docs seem to say it will be enabled on > hosts, and disabled on routers. > Or did you simply mean "will be set (to 0)"? Yes that's what I meant. > Still, question is... what for are ICMP redirects needed on normal > hosts? > The old procps sysctl.conf documented it as preventing some spoofing > attacks... and as above, I've had these set on both desktops and larger > server clusters doing quite some networking for at least over a decade > and never saw any need for enabling it. I think the idea is that when there are multiple gateway routers on the local network, hosts can start with a single default gateway configured and then it will tell them when to use a different one. RFC 1122 (Requirements for Internet Hosts) says that hosts MUST accept valid ICMP redirect messages, and this doesn't appear to have been superceded. > > > net.ipv6.conf.all.accept_redirects = 0 > > > > This is not set and the kernel default is still 1. > > Well, basically same as above. Is there any real world thing that needs > ICMP redirects to be to be accpeded? Same reason as for IPv4. RFC 4861 (Neighbor Discovery for IPv6) says that hosts SHOULD accept valid ICMPv6 redirect messages. RFC 8028 defines stricter validation but the requirement remains. [...] > > > net.ipv6.conf.all.accept_source_route = 0 > > > > That has always been the kernel default value. > > btw: Seems that 0 doesn't actually disable it completely for v6,... > that would require a negative value (at least according to docs). Indeed, routing header type 2 may still be accepted, to support Mobile IP (RFC 3775). But this seems to have no effect if no "home address" is configured on the interface. (Routing header types 3 and 4 may also be accepted, but those are controlled by separate sysctls that are off by default.) > > > 1) The vast majority of Debian installations are NOT used as rooter > > > > I think this is longer true: anything hosting VMs or containers that > > have networking acts a router. > > Hmm, even with that I'd rather tend to say it's not the majority, or is > it?! I am only claiming that a significant minority are routers. [...] > btw: > Does anyone know why fs.protected_fifos isn't set to the stricter `2`? > I guess you just took that from systemd, which set it (to 1) in > https://github.com/systemd/systemd/commit/2732587540035227fe59e4b64b60127352611b35 > but no real explanation whether there are any use cases which would be > broken by `2`. Correct. The main concern is with /tmp which is world-writable and sticky. Group-writable sticky directories are less of a concern and there could maybe be some legitimate use for shared FIFOs there. > Anyway... apart from the above points/questions I'd say we can mark my > original issue as done? OK. If you would like us to add a secpmd configuration file with some more restrictive settings, please make a new bug report. Ben. -- Ben Hutchings Teamwork is essential - it allows you to blame someone else.Attachment: signature.asc
Description: This is a digitally signed message part
--- End Message ---