#1 Le 15/11/2011, à 01:07
- seba_80
un peu plus de securitee reseau
editer le fichier sysctl.conf
gksudo gedit /etc/sysctl.conf
retirer le "#" aux lignes suivantes
#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#
#kernel.domainname = example.com
# Uncomment the following to stop low-level messages on console
#kernel.printk = 4 4 1 7
##############################################################3
# Functions previously found in netbase
#
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies
#net.ipv4.tcp_syncookies=1
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
rebootez et voila
corrigé suite à la remarque de Pacifick_FR42
Dernière modification par seba_80 (Le 15/11/2011, à 12:01)
Hors ligne
#2 Le 15/11/2011, à 02:15
- seba_80
Re : un peu plus de securitee reseau
ps: MITM = man in the middle
une technique de hack qui met l attaquant au millieu du reseau, donc tout repasse par lui entre les servers et le client
apres modif vous etes blindé
a deconseiller a ceux qui utilisent ubuntu comme router, utilisez plutot pfsense comme router.
Dernière modification par seba_80 (Le 15/11/2011, à 02:34)
Hors ligne
#3 Le 15/11/2011, à 04:22
- Pacifick_FR42
Re : un peu plus de securitee reseau
Merci pour l'info (petite bémol, utilisez gksudo dans le cas d'un lancement graphique par root)
Hors ligne