今年的弱掃,被掃出一個 low 等級弱點:『ICMP Timestamp Request Remote Date Disclosure』:
"The remote host answers to an ICMP timestamp request. This allows an attacker to know the date that is set on the targeted machine, which may assist an unauthenticated, remote attacker in defeating time-based authentication protocols." (遠端主機會回應 ICMP 時間戳請求。這使得攻擊者能夠知道目標機器上設置的日期,這可能會幫助未經身份驗證的遠程攻擊者破解基於時間的身份驗證協議。)
如果是無對外的服務,基本上可以略過。
基於方便除錯,Firewall Wan Port 上有開啟 Ping 服務,所以要排除這個弱點,就要在 Firewall 做設定。
這個弱點是利用 ICMP Type13 功能,所以要在 Firewall 上禁用,Fortigate 的設定如下:
Ref: Block ICMP timestamp on FortiGate interface while keeping ping enabled
- Create a firewall service for ICMP type 13 (timestamp request):(7.2.x已內建)
config firewall service custom
edit "TIMESTAMP"
set protocol ICMP
set icmptype 13
next
end
- Create address entry for wan1 interface IP:
config firewall address
edit "wan1-IP"
set subnet 1.1.1.1 255.255.255.255 (該 Wan 埠 IP)
next
end
- Create local-in-policy to block timestamp requests on wan1 interface IP:
config firewall local-in-policy
edit 1
set intf "wan1"
set srcaddr "all"
set dstaddr "wan1-IP"
set service "TIMESTAMP"
set schedule "always"
set action deny
next
end
留言
張貼留言