As a security best practice, verify that your VMware virtual appliance host machines deny IPv4 ICMP redirect messages.

About this task

Routers use ICMP redirect messages to tell hosts that a more direct route exists for a destination. A malicious ICMP redirect message can facilitate a man-in-the-middle attack. These messages modify the host's route table and are unauthenticated. Ensure that your system is configured to ignore them if they are not otherwise needed.

Procedure

  1. Run the # grep [01] /proc/sys/net/ipv4/conf/*/accept_redirects|egrep "default|all" command on the VMware appliance host machines to confirm that they deny IPv4 redirect messages.

    If the host machines are configured to deny IPv4 redirects, this command returns the following:

    /proc/sys/net/ipv4/conf/all/accept_reidrects:0

    /proc/sys/net/ipv4/conf/default/accept_redirects:0

  2. If you need to configure a virtual appliance host machine to deny IPv4 redirect messages, open the /etc/sysctl.conf file in a text editor.
  3. Check the values of the lines that begin with net.ipv4.conf.

    If the values for the following entries are not set to zero or if the entries do not exist, add them to the file or update the existing entries accordingly.

    net.ipv4.conf.all.accept_redirects=0
    net.ipv4.conf.default.accept_redirects=0
  4. Save the changes you made and close the file.