lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 13 May 2019 09:33:13 +0800
From:   Weilong Chen <chenweilong@...wei.com>
To:     <chenweilong@...wei.com>, <davem@...emloft.net>,
        <kuznet@....inr.ac.ru>, <yoshfuji@...ux-ipv6.org>
CC:     <netdev@...r.kernel.org>
Subject: [PATCH net-next] ipv4: Add support to disable icmp timestamp

The remote host answers to an ICMP timestamp request.
This allows an attacker to know the time and date on your host.

This path is an another way contrast to iptables rules:
iptables -A input -p icmp --icmp-type timestamp-request -j DROP
iptables -A output -p icmp --icmp-type timestamp-reply -j DROP

Default is disabled to improve security.

enable:
	sysctl -w net.ipv4.icmp_timestamp_enable=1
disable
	sysctl -w net.ipv4.icmp_timestamp_enable=0
testing:
	hping3 --icmp --icmp-ts -V $IPADDR

Signed-off-by: Weilong Chen <chenweilong@...wei.com>
---
 include/net/ip.h           | 2 ++
 net/ipv4/icmp.c            | 5 +++++
 net/ipv4/sysctl_net_ipv4.c | 8 ++++++++
 3 files changed, 15 insertions(+)

diff --git a/include/net/ip.h b/include/net/ip.h
index 2d3cce7..71840e4 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -718,6 +718,8 @@ bool icmp_global_allow(void);
 extern int sysctl_icmp_msgs_per_sec;
 extern int sysctl_icmp_msgs_burst;
 
+extern int sysctl_icmp_timestamp_enable;
+
 #ifdef CONFIG_PROC_FS
 int ip_misc_proc_init(void);
 #endif
diff --git a/net/ipv4/icmp.c b/net/ipv4/icmp.c
index f3a5893..d302189 100644
--- a/net/ipv4/icmp.c
+++ b/net/ipv4/icmp.c
@@ -232,6 +232,7 @@ static inline void icmp_xmit_unlock(struct sock *sk)
 
 int sysctl_icmp_msgs_per_sec __read_mostly = 1000;
 int sysctl_icmp_msgs_burst __read_mostly = 50;
+int sysctl_icmp_timestamp_enable __read_mostly;
 
 static struct {
 	spinlock_t	lock;
@@ -953,6 +954,10 @@ static bool icmp_echo(struct sk_buff *skb)
 static bool icmp_timestamp(struct sk_buff *skb)
 {
 	struct icmp_bxm icmp_param;
+
+	if (!sysctl_icmp_timestamp_enable)
+		goto out_err;
+
 	/*
 	 *	Too short.
 	 */
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index 875867b..1fe467e 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -544,6 +544,14 @@ static struct ctl_table ipv4_table[] = {
 		.extra1		= &zero,
 	},
 	{
+		.procname	= "icmp_timestamp_enable",
+		.data		= &sysctl_icmp_timestamp_enable,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= proc_dointvec_minmax,
+		.extra1		= &zero,
+	},
+	{
 		.procname	= "udp_mem",
 		.data		= &sysctl_udp_mem,
 		.maxlen		= sizeof(sysctl_udp_mem),
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ