ItsyourIP.com

How to Disable ICMP Redirects in Linux for security (Redhat,Debian,Ubuntu,SuSe tested)

Written by

admin

in

, , , ,

ICMP Redirects Send and Accept are by default enabled on most of the linux flavours including Debian, Ubuntu, Redhat Enterprise Linux, Suse Linux.

While ICMP Redirects are not the very efficient way to update a hosts Routing table of an optimal route to a target destination, it can cause serious security concerns where a hacker or attacker can send malicously crafted ICMP redirect messages and cause a Denial of Service attack on the network.

If ICMP Redirects are not used in the network for route updates and if the server is not acting as a Router or a Gateway (ICMP Redirect send only) then ICMP Redirect send and accepts should be disabled on the server.

In most of the Linux flavors (tested on Debian,Ubuntu,Redhat Enterprise linux,Suse) ICMP Redirects can be dynamically disabled on the host by using

1. /sbin/sysctl utility which can modify Kernel paramters at runtime

Login as root and run the following command to disable ICMP Redirects Send and Accept

Server# /sbin/sysctl -w net.ipv4.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.all.send_redirects = 0

Server# /sbin/sysctl -w net.ipv6.conf.all.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.all.send_redirects = 0

The above disables ICMP Redirects globally on the server. However, if you want to disable on a per interface basis then in the above command, instead of using "all" use the inerface name (say "eth0")

Server# /sbin/sysctl -w net.ipv4.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv4.conf.eth0.send_redirects = 0

Server# /sbin/sysctl -w net.ipv6.conf.eth0.accept_redirects = 0
Server# /sbin/sysctl -w net.ipv6.conf.eth0.send_redirects = 0

This will disable ICMP Redirects immediatly.

or even a simpler option would be to

2. Passing appropriate value (0 or 1) to the above kernel variables as follows:

Server# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects [for IPv4]

Server# echo 0 > /proc/sys/net/ipv6/conf/all/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/all/send_redirects [for IPv6]

Again this can be used on a per interface basis as

Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects [for IPv4]
Server# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects [for IPv4]

Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/accept_redirects [for IPv6]
Server# echo 0 > /proc/sys/net/ipv6/conf/eth0/send_redirects [for IPv6]

However, these kernel changes made at runtime will be lost when the system reboots. So it is important that these are applied at boot time as well to ensure that the server is secure.

ICMP REDIRECT DISABLE AT BOOT TIME

In order to disable ICMP Redirects at boot time,

1. Edit the /etc/sysctl.conf file

Edit the /etc/sysctl.conf file and add the following lines:

In Debian and Ubuntu Linux:

net/ipv4/conf/all/accept_redirects = 0 [for IPv4]
net/ipv4/conf/all/send_redirects = 0 [for IPv4]

net/ipv6/conf/all/accept_redirects = 0 [for IPv6]
net/ipv6/conf/all/send_redirects = 0 [for IPv6]
 
Again, if you want to control ICMP redirects on a per interface basis then add the following lines (say for eth0):

net/ipv4/conf/eth0/accept_redirects = 0 [for IPv4]
net/ipv4/conf/eth0/send_redirects = 0 [for IPv4]

net/ipv6/conf/eth0/accept_redirects = 0 [for IPv6]
net/ipv6/conf/eth0/send_redirects = 0 [for IPv6]

In Redhat Enterprise Linux and Suse:

net.ipv4.conf.all.accept_redirects = 0 [for IPv4]
net.ipv4.conf.all.send_redirects = 0 [for IPv4]

net.ipv6.conf.all.accept_redirects = 0 [for IPv6]
net.ipv6.conf.all.send_redirects = 0 [for IPv6]
 
Again, if you want to control ICMP redirects on a per interface basis then add the following lines (say for eth0):

net.ipv4.conf.eth0.accept_redirects = 0 [for IPv4]
net.ipv4.conf.eth0.send_redirects = 0 [for IPv4]

net.ipv6.conf.eth0.accept_redirects = 0 [for IPv6]
net.ipv6.conf.eth0.send_redirects = 0 [for IPv6]

This will allow the /etc/sysctl.conf be read by the /sbin/sysctl utility at the startup.

NOTE: In Debian and Ubuntu, this will be overiden by any options set in /etc/network/options as the /etc/init.d/networking script which sets the /etc/network/options file kernel paramters at boot time runs after the /etc/init.d/procps script which sets the kernel variable values specified in /etc/sysctl.conf file. It is advisable to make all change to /etc/sysctl.conf file instead of /etc/network/options file as this is being depreciated.

Comments

7 responses to “How to Disable ICMP Redirects in Linux for security (Redhat,Debian,Ubuntu,SuSe tested)”

  1. Danillo Franscys Borges de Oliveira Avatar
    Danillo Franscys Borges de Oliveira

    Thank you very much for the information provided in this site. I have just one comment:
    I tested the command “sysctl -w net.ipv4.conf.all.accept_redirects = 0” on my computer, which runs UBUNTU 8.0.4 LTS, and it rejected this command with the following message:
    error: “net.ipv4.conf.all.send_redirects” must be of the form name=value
    error: Malformed setting “=”
    error: “0” must be of the form name=value

    The correct syntax does not allow spaces in the assignment:
    “sysctl -w net.ipv4.conf.all.send_redirects=0”

  2. Jose Carlos Avatar
    Jose Carlos

    Danilo, the problem is that there is a typo in the tutorial, you cannot enter spaces between the “=”.

    It should be like this:
    sysctl -w net.ipv4.conf.all.accept_redirects=0

    and not:
    sysctl -w net.ipv4.conf.all.accept_redirects = 0

  3. vicmara Avatar
    vicmara

    Well, one’s first impression may well be (at least I secretly admit: mine was) “this is trivial, ain’t?”, essentially “blaming it on the user”.

    Even so, the thought-to-be-long-since-lost truth comes to tell again. This time about this nuisance, sporting the merit of having been established the de facto standard for what one may call like “software implemented double standards”. (Yeah, that’s true, a blind advocate of tyranny and/or narcism taking its place in our secure hitech system. And still they try convincing us pacing over our well-founded fears about rise of the robots! lolz)

    The thing is that both the informative, however “uncustomized” default (those “blamable” users, get it as “empty” or “meaningless” :)) conf file and the examples (read: usage help) given by sysctl binary handle the matter loosely.

    *=0
    and
    * = 0
    (see mentioned conf and “sysctl -a” for proof)
    forms are to be found in either.

    However, the binary does not accept the “spaced” version.
    (the one itself is using for listing..)

    The man page from 1999 is overly correct, if I remember well.

  4. vicmara Avatar
    vicmara

    Ah, I am etch @ 2.6.26-2-686 SMP.

    And if you ever need to disable “echo requests” (that is, those sent by “program” called “ping”), just use

    net.ipv4.icmp_echo_ignore_all=1

    in either the config file and the shell.

  5. Routing issue Sophos UTM Home <-> Cisco ASA 5510 for only linux hosts? – Sophos User Bulletin Board

    […] https://forum.pfsense.org/index.php?topic=58292.0 Linux Security: How to Disable ICMP Redirects(Redhat,Debian,Ubuntu,SuSe) | ItsyourIP.com networking – Definition of 'send_redirect' in Linux IPv4 context – Super User It […]

  6. M.Pasha Avatar
    M.Pasha

    Hi,

    How do we test the ICMP redirect packets are blocked or not.

    (ICMP Type 13 and 14 –> ICMP Timestamp request and response)

  7. Forwarding ICMP over a server without redirects

    […] On the server, depends on your linux flavor, this link has info for all the flavors and various ways to Disable ICMP Redirects in Linux http://www.itsyourip.com/Security/how-to-disable-icmp-redirects-in-linux-for-security-redhatdebianub&#8230; […]

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts