3.3.9 Ensure suspicious packets are logged

Information

When enabled, this feature logs packets with un-routable source addresses to the kernel log.

Setting net.ipv4.conf.all.log_martians and net.ipv4.conf.default.log_martians to 1 enables this feature. Logging these packets allows an administrator to investigate the possibility that an attacker is sending spoofed packets to their system.

Solution

Set the following parameters in /etc/sysctl.conf or a file in /etc/sysctl.d/ ending inconf :

- net.ipv4.conf.all.log_martians = 1
- net.ipv4.conf.default.log_martians = 1

Example:

# printf '%s
' "net.ipv4.conf.all.log_martians = 1" "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.d/60-netipv4_sysctl.conf

Run the following script to set the active kernel parameters:

#!/usr/bin/env bash

{
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.route.flush=1
}

Note: If these settings appear in a canonically later file, or later in the same file, these settings will be overwritten

See Also

https://workbench.cisecurity.org/benchmarks/18209