Other Articles
- Servers – Disable UDF Filesystem
- Servers – Configure /tmp Partition
- Servers – Configure /home Partition
- Servers – Configure /var Partition
- Servers – Configure Shm Partition
- Servers – Enable dm-verity
- Servers – Enforce Authentication for Single User Mode
- Servers – Restrict Core Dump Generation
- Servers – Enable NX Protection
- Servers – Enable Address Space Layout Randomization (ASLR)
- Servers – Configure Message of the Day (MOTD)
- Servers – Configure Local Login Banner
- Servers – Configure Remote Login Banner
- Servers – Configure Message of the Day (MOTD) Permissions
- Servers – Configure Issue Permissions
- Servers – Configure Password Permissions
- Servers – Configure Group Backup Permissions
- Servers – Configure Group Permissions
- Servers – Configure Gshadow Backup Permissions
- Servers – Configure Gshadow Permissions
- Servers – Configure Passwd Backup Permissions
- Servers – Configure Shadow Backup Permissions
- Servers – Configure Shadow Permissions
- Servers – Ensure All Users' Home Directories Exist
- Servers – Ensure No Users Have .forward Files
- Servers – Ensure No Users Have .netrc Files
- Servers – Ensure No Users Have .rhosts Files
- Servers – Ensure Root is the Only UID 0 Account
- Servers – Ensure Root PATH Integrity
- Servers – Remove Legacy '+' Entries from Group
- Servers – Remove Legacy '+' Entries from Passwd
- Servers – Remove Legacy '+' Entries from Shadow
- Servers – Restrict Access to .netrc Files
- Servers – Secure System Accounts
- Servers – Ensure Users' Home Directory Permissions are 750 or More Restrictive
- Servers – Ensure Users Own Their Home Directories
- Servers – Verify Security Of Dot Files
- Servers – Verify Existence of passwd Groups
- Servers – Ensure No Duplicate UIDs Exist
- Servers – Ensure No Duplicate GIDs Exist
- Servers – Ensure No Duplicate User Names Exist
- Servers – Ensure No Duplicate Group Names Exist
- Servers – Ensure Shadow Group Has No Members
- Servers – Ensure Logging is Configured
- Servers – Ensure Journald Compression is Configured
- Servers – Ensure Journald Storage is Configured to Persistent Disk
- Servers – Ensure Permissions on All Logfiles are Configured
- Servers – Verify Time Synchronization with Chrony
- Servers – Ensure Chrony is Configured
- Servers – Ensure X Window System is Not Installed
- Servers – Ensure NFS and RPC Services are Disabled
- Servers – Ensure Rsync Service is Disabled
- Servers – Ensure TCP SYN Cookies is Enabled
- Servers – Ensure IPv6 Default Deny Firewall Policy
- Servers – Ensure IPv6 Loopback Traffic is Configured
- Servers – Ensure IPv6 Outbound and Established Connections are Configured
- Servers – Verify IPv6 Open Ports Rules
- Servers – Ensure Default Deny Firewall Policy is Configured
- Servers – Ensure Loopback Traffic is Configured
- Servers – Ensure Outbound and Established Connections are Configured
- Servers – Ensure Iptables is Installed
- Servers – Ensure Packet Redirect Sending is Disabled
- Servers – Ensure ICMP Redirects are Not Accepted
- Servers – Ensure Secure ICMP Redirects are Disabled
- Servers – Ensure Suspicious Packets Logging is Enabled
- Servers – Ensure Broadcast ICMP Requests are Ignored
- Servers – Ensure Bogus ICMP Responses are Ignored
- Servers – Ensure Reverse Path Filtering is Enabled
- Servers – Ensure Absence of IPv6 Router Advertisements
- Servers – Ensure SSH SSHD Config Permissions Are Configured
- Servers – Ensure SSH Private Host Key Permissions
- Servers – Ensure SSH Public Host Key Permissions Are Configured
- Servers – Ensure SSH Protocol is Set to 2
- Servers – Ensure SSH LogLevel is Appropriate
- Servers – Ensure SSH X11 Forwarding is Disabled
- Servers – Ensure SSH MaxAuthTries is Set to 4 or Less
- Servers – Ensure SSH IgnoreRhosts is Enabled
- Servers – Ensure SSH HostbasedAuthentication is Disabled
- Servers – Disable SSH Root Login
- Servers – Ensure SSH PermitEmptyPasswords is Disabled
- Servers – Verify SSH Strong Ciphers Strength
- Servers – Verify SSH Strong MAC Algorithms
- Servers – Verify SSH Strong Key Exchange Algorithms
- Servers – Ensure SSH Idle Timeout Interval is Configured
- Servers – Ensure SSH Login Grace Time is Configured
- Servers – Configure SSH Warning Banner
- Servers – Enable SSH PAM Authentication
- Servers – Disable SSH AllowTcpForwarding
- Servers – Configure SSH MaxStartups
- Servers – Verify SSH MaxSessions Configuration
- Servers – Ensure Password Creation Requirements are Configured
- Servers – Ensure Password Reuse is Limited
- Servers – Ensure Password Hashing Algorithm is SHA-512
- Servers – Ensure Password Expiration Days is 365 or Less
- Servers – Ensure Minimum Days Between Password Changes is 7 or More
- Servers – Ensure Password Expiration Warning Days is 7 or More
- Servers – Ensure Inactive Password Lock is 30 Days or Less
- Servers – Ensure All Users Last Password Change Date is in the Past
- Servers – Ensure System Accounts Are Secured
- Servers – Ensure Default Group for Root Account is GID 0
- Servers – Verify Default User Umask
- Servers – Ensure Default User Shell Timeout is 900 Seconds or Less
- Servers – Ensure Root Login is Restricted to System Console
- Servers – Ensure Access to su Command is Restricted
Servers – Ensure Source Routed Packets are Not Accepted
Support > Fixing Checks > Server
06 March, 2026
This check ensures that source routed packets are not accepted by the system.
Allowing source routed packets can enable attackers to bypass normal routing controls and gain unauthorized access to internal networks.
Check Details
- Resource: Server
- Check: Ensure source routed packets are not accepted
- Risk: Accepting source routed packets can allow attackers to bypass routing restrictions and access restricted networks.
Remediation Steps
- Open a terminal session with root or sudo privileges.
-
Run the following commands to set the active kernel parameters:
sysctl -w net.ipv4.conf.all.accept_source_route=0 sysctl -w net.ipv4.conf.default.accept_source_route=0 sysctl -w net.ipv6.conf.all.accept_source_route=0 sysctl -w net.ipv6.conf.default.accept_source_route=0 sysctl -w net.ipv4.route.flush=1 sysctl -w net.ipv6.route.flush=1
- These commands disable acceptance of source routed packets for both IPv4 and IPv6.
-
On systems where
/etcis stateless (such as Container-Optimized OS), these changes are not persistent across reboots. - Ensure these commands are executed after every system reboot if persistence is not supported.
-
Verify the configuration by running audit commands:
sysctl net.ipv4.conf.all.accept_source_route sysctl net.ipv4.conf.default.accept_source_route sysctl net.ipv6.conf.all.accept_source_route sysctl net.ipv6.conf.default.accept_source_route
- Ensure all values return 0.
- Perform regular audits to ensure compliance.