As a security best practice, verify that the host system denies IPv4 Internet Control Message Protocol (ICMP) redirects. Routers use ICMP redirect messages to inform servers that a direct route exists for a particular destination. These messages contain information from the system's route table that might reveal portions of the network topology.
Procedure
- Run the # grep [01] /proc/sys/net/ipv4/conf/*/send_redirects|egrep "default|all" on the host system to verify whether it denies IPv4 ICMP redirects.
- Configure the host system to deny IPv4 ICMP redirects.
- Open the /etc/sysctl.conf file to configure the host system.
- If the values are not set to
0
, add the following entries to the file or update the existing entries accordingly. Set the value to0
.net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0
- Save the changes and close the file.
- Run
# sysctl -p
to apply the configuration.