265 lines
8.6 KiB
Plaintext
265 lines
8.6 KiB
Plaintext
# NOTE: THIS IS ONLY A TEMPLATE. CHANGE IT BEFORE APPLYING IT
|
||
|
||
########## Kernel ##########
|
||
|
||
# enable ExecShield protection
|
||
# 2 enables ExecShield by default unless applications bits are set to disabled
|
||
# uncomment on systems without NX/XD protections
|
||
# check with: dmesg | grep --color '[NX|DX]*protection'
|
||
#kernel.exec-shield = 2
|
||
|
||
# enable ASLR
|
||
# turn on protection and randomize stack, vdso page and mmap + randomize brk base address
|
||
kernel.randomize_va_space = 2
|
||
|
||
# controls the System Request debugging functionality of the kernel
|
||
kernel.sysrq = 0
|
||
|
||
# controls whether core dumps will append the PID to the core filename
|
||
# useful for debugging multi-threaded applications
|
||
kernel.core_uses_pid = 1
|
||
|
||
# restrict access to kernel address
|
||
# kernel pointers printed using %pK will be replaced with 0’s regardless of privileges
|
||
kernel.kptr_restrict = 2
|
||
|
||
# Ptrace protection using Yama
|
||
# - 1: only a parent process can be debugged
|
||
# - 2: only admins canuse ptrace (CAP_SYS_PTRACE capability required)
|
||
# - 3: disables ptrace completely, reboot is required to re-enable ptrace
|
||
kernel.yama.ptrace_scope = 3
|
||
|
||
# restrict kernel logs to root only
|
||
kernel.dmesg_restrict = 1
|
||
|
||
# restrict BPF JIT compiler to root only
|
||
kernel.unprivileged_bpf_disabled = 1
|
||
|
||
# disables kexec as it can be used to livepatch the running kernel
|
||
kernel.kexec_load_disabled = 1
|
||
|
||
# disable unprivileged user namespaces to decrease attack surface
|
||
kernel.unprivileged_userns_clone = 0
|
||
|
||
# allow for more PIDs
|
||
# this value can be up to:
|
||
# - 32768 (2^15) on a 32-bit system
|
||
# - 4194304 (2^22) on a 64-bit system
|
||
kernel.pid_max = 4194304
|
||
|
||
# reboot machine after kernel panic
|
||
#kernel.panic = 10
|
||
|
||
# restrict perf subsystem usage
|
||
kernel.perf_event_paranoid = 3
|
||
kernel.perf_cpu_time_max_percent = 1
|
||
kernel.perf_event_max_sample_rate = 1
|
||
|
||
########## File System ##########
|
||
|
||
# disallow core dumping by SUID/SGID programs
|
||
fs.suid_dumpable = 0
|
||
|
||
# protect the creation of hard links
|
||
# one of the following conditions must be fulfilled
|
||
# - the user can only link to files that he or she owns
|
||
# - the user must first have read and write access to a file, that he/she wants to link to
|
||
fs.protected_hardlinks = 1
|
||
|
||
# protect the creation of symbolic links
|
||
# one of the following conditions must be fulfilled
|
||
# - the process following the symbolic link is the owner of the symbolic link
|
||
# - the owner of the directory is also the owner of the symbolic link
|
||
fs.protected_symlinks = 1
|
||
|
||
# enable extended FIFO protection
|
||
fs.protected_fifos = 2
|
||
|
||
# similar to protected_fifos, but it avoids writes to an attacker-controlled regular file
|
||
fs.protected_regular = 2
|
||
|
||
# increase system file descriptor limit
|
||
# this value can be up to:
|
||
# - 2147483647 (0x7fffffff) on a 32-bit system
|
||
# - 9223372036854775807 (0x7fffffffffffffff) on a 64-bit system
|
||
# be aware that the Linux kernel documentation suggests that inode-max should be 3-4 times
|
||
# larger than this value
|
||
fs.file-max = 9223372036854775807
|
||
|
||
# increase the amount of files that can be watched
|
||
# each file watch handle takes 1080 bytes
|
||
# up to 540 MiB of memory will be consumed if all 524288 handles are used
|
||
fs.inotify.max_user_watches = 524288
|
||
|
||
########## Virtualization ##########
|
||
|
||
# do not allow mmap in lower addresses
|
||
vm.mmap_min_addr = 65536
|
||
|
||
# improve mmap ASLR effectness
|
||
vm.mmap_rnd_bits=32
|
||
vm.mmap_rnd_compat_bits=16
|
||
|
||
########## Networking ##########
|
||
|
||
# increase the maximum length of processor input queues
|
||
net.core.netdev_max_backlog = 250000
|
||
|
||
# enable BPF JIT hardening for all users
|
||
# this trades off performance, but can mitigate JIT spraying
|
||
net.core.bpf_jit_harden = 2
|
||
|
||
# increase TCP max buffer size setable using setsockopt()
|
||
#net.core.rmem_max = 8388608
|
||
#net.core.wmem_max = 8388608
|
||
#net.core.rmem_default = 8388608
|
||
#net.core.wmem_default = 8388608
|
||
#net.core.optmem_max = 8388608
|
||
|
||
########## IPv4 Networking ##########
|
||
|
||
# enable BBR congestion control
|
||
net.ipv4.tcp_congestion_control = bbr
|
||
|
||
# disallow IPv4 packet forwarding
|
||
net.ipv4.ip_forward = 0
|
||
|
||
# enable SYN cookies for SYN flooding protection
|
||
net.ipv4.tcp_syncookies = 1
|
||
|
||
# number of times SYNACKs for a passive TCP connection attempt will be retransmitted
|
||
net.ipv4.tcp_synack_retries = 5
|
||
|
||
# do not send redirects
|
||
net.ipv4.conf.default.send_redirects = 0
|
||
net.ipv4.conf.all.send_redirects = 0
|
||
|
||
# do not accept packets with SRR option
|
||
net.ipv4.conf.default.accept_source_route = 0
|
||
net.ipv4.conf.all.accept_source_route = 0
|
||
|
||
# enable reverse path source validation (BCP38)
|
||
# refer to RFC1812, RFC2827, and BCP38 (http://www.bcp38.info)
|
||
net.ipv4.conf.default.rp_filter = 1
|
||
net.ipv4.conf.all.rp_filter = 1
|
||
|
||
# log packets with impossible addresses to kernel log
|
||
net.ipv4.conf.default.log_martians = 1
|
||
net.ipv4.conf.all.log_martians = 1
|
||
|
||
# do not accept ICMP redirect messages
|
||
net.ipv4.conf.default.accept_redirects = 0
|
||
net.ipv4.conf.default.secure_redirects = 0
|
||
net.ipv4.conf.all.accept_redirects = 0
|
||
net.ipv4.conf.all.secure_redirects = 0
|
||
|
||
# disable sending and receiving of shared media redirects
|
||
# this setting overwrites net.ipv4.conf.all.secure_redirects
|
||
# refer to RFC1620
|
||
net.ipv4.conf.default.shared_media = 0
|
||
net.ipv4.conf.all.shared_media = 0
|
||
|
||
# always use the best local address for announcing local IP via ARP
|
||
net.ipv4.conf.default.arp_announce = 2
|
||
net.ipv4.conf.all.arp_announce = 2
|
||
|
||
# reply only if the target IP address is local address configured on the incoming interface
|
||
net.ipv4.conf.default.arp_ignore = 1
|
||
net.ipv4.conf.all.arp_ignore = 1
|
||
|
||
# drop Gratuitous ARP frames to prevent ARP poisoning
|
||
# this can cause issues when ARP proxies are used in the network
|
||
net.ipv4.conf.default.drop_gratuitous_arp = 1
|
||
net.ipv4.conf.all.drop_gratuitous_arp = 1
|
||
|
||
# ignore all ICMP echo requests
|
||
#net.ipv4.icmp_echo_ignore_all = 1
|
||
|
||
# ignore all ICMP echo and timestamp requests sent to broadcast/multicast
|
||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||
|
||
# ignore bad ICMP errors
|
||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||
|
||
# mitigate TIME-WAIT Assassination hazards in TCP
|
||
# refer to RFC1337
|
||
net.ipv4.tcp_rfc1337 = 1
|
||
|
||
# disable TCP window scaling
|
||
# this makes the host less susceptible to TCP RST DoS attacks
|
||
net.ipv4.tcp_window_scaling = 0
|
||
|
||
# increase system IP port limits
|
||
net.ipv4.ip_local_port_range = 1024 65535
|
||
|
||
# TCP timestamps could provide protection against wrapped sequence numbers,
|
||
# but the host's uptime can be calculated precisely from its timestamps
|
||
# it is also possible to differentiate operating systems based on their use of timestamps
|
||
# - 0: disable TCP timestamps
|
||
# - 1: enable timestamps as defined in RFC1323 and use random offset for
|
||
# each connection rather than only using the current time
|
||
# - 2: enable timestamps without random offsets
|
||
net.ipv4.tcp_timestamps = 0
|
||
|
||
# enabling SACK can increase the throughput
|
||
# but SACK is commonly exploited and rarely used
|
||
net.ipv4.tcp_sack = 0
|
||
|
||
# divide socket buffer evenly between TCP window size and application
|
||
net.ipv4.tcp_adv_win_scale = 1
|
||
|
||
# increase memory thresholds to prevent packet dropping
|
||
#net.ipv4.tcp_rmem = 4096 87380 8388608
|
||
#net.ipv4.tcp_wmem = 4096 87380 8388608
|
||
|
||
########## IPv6 Networking ##########
|
||
|
||
# disallow IPv6 packet forwarding
|
||
net.ipv6.conf.default.forwarding = 0
|
||
net.ipv6.conf.all.forwarding = 0
|
||
|
||
# number of Router Solicitations to send until assuming no routers are present
|
||
net.ipv6.conf.default.router_solicitations = 0
|
||
net.ipv6.conf.all.router_solicitations = 0
|
||
|
||
# do not accept Router Preference from RA
|
||
net.ipv6.conf.default.accept_ra_rtr_pref = 0
|
||
net.ipv6.conf.all.accept_ra_rtr_pref = 0
|
||
|
||
# learn prefix information in router advertisement
|
||
net.ipv6.conf.default.accept_ra_pinfo = 0
|
||
net.ipv6.conf.all.accept_ra_pinfo = 0
|
||
|
||
# setting controls whether the system will accept Hop Limit settings from a router advertisement
|
||
net.ipv6.conf.default.accept_ra_defrtr = 0
|
||
net.ipv6.conf.all.accept_ra_defrtr = 0
|
||
|
||
# router advertisements can cause the system to assign a global unicast address to an interface
|
||
net.ipv6.conf.default.autoconf = 0
|
||
net.ipv6.conf.all.autoconf = 0
|
||
|
||
# number of neighbor solicitations to send out per address
|
||
net.ipv6.conf.default.dad_transmits = 0
|
||
net.ipv6.conf.all.dad_transmits = 0
|
||
|
||
# number of global unicast IPv6 addresses can be assigned to each interface
|
||
net.ipv6.conf.default.max_addresses = 1
|
||
net.ipv6.conf.all.max_addresses = 1
|
||
|
||
# enable IPv6 Privacy Extensions (RFC3041) and prefer the temporary address
|
||
net.ipv6.conf.default.use_tempaddr = 2
|
||
net.ipv6.conf.all.use_tempaddr = 2
|
||
|
||
# ignore IPv6 ICMP redirect messages
|
||
net.ipv6.conf.default.accept_redirects = 0
|
||
net.ipv6.conf.all.accept_redirects = 0
|
||
|
||
# do not accept packets with SRR option
|
||
net.ipv6.conf.default.accept_source_route = 0
|
||
net.ipv6.conf.all.accept_source_route = 0
|
||
|
||
# ignore all ICMPv6 echo requests
|
||
#net.ipv6.icmp.echo_ignore_all = 1
|
||
#net.ipv6.icmp.echo_ignore_anycast = 1
|
||
#net.ipv6.icmp.echo_ignore_multicast = 1
|