jermdw/sysctl.conf

## sysctl.conf
# Enable syn flood protection
net.ipv4.tcp_syncookies = 1

# Ignore source-routed packets
net.ipv4.conf.all.accept_source_route = 0

# Ignore source-routed packets
net.ipv4.conf.default.accept_source_route = 0

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0

# Ignore ICMP redirects
net.ipv4.conf.default.accept_redirects = 0

# Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.all.secure_redirects = 1

# Ignore ICMP redirects from non-GW hosts
net.ipv4.conf.default.secure_redirects = 1

# Don't allow traffic between networks or act as a router
net.ipv4.ip_forward = 0

# Don't allow traffic between networks or act as a router
net.ipv4.conf.all.send_redirects = 0

# Don't allow traffic between networks or act as a router
net.ipv4.conf.default.send_redirects = 0

# Reverse path filtering - IP spoofing protection
net.ipv4.conf.all.rp_filter = 1

# Reverse path filtering - IP spoofing protection
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcasts to avoid participating in Smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log spoofed, source-routed, and redirect packets
net.ipv4.conf.all.log_martians = 1

# Log spoofed, source-routed, and redirect packets
net.ipv4.conf.default.log_martians = 1

# Implement RFC 1337 fix
net.ipv4.tcp_rfc1337 = 1

# Randomize addresses of mmap base, heap, stack and VDSO page
kernel.randomize_va_space = 2

# Provide protection from ToCToU races
fs.protected_hardlinks=1

# Provide protection from ToCToU races
fs.protected_symlinks=1

# Make locating kernel addresses more difficult
kernel.kptr_restrict=1

# Set ptrace protections
kernel.yama.ptrace_scope=1

# Set perf only available to root
kernel.perf_event_paranoid=2
	# Enable syn flood protection
	net.ipv4.tcp_syncookies = 1

	# Ignore source-routed packets
	net.ipv4.conf.all.accept_source_route = 0

	# Ignore source-routed packets
	net.ipv4.conf.default.accept_source_route = 0

	# Ignore ICMP redirects
	net.ipv4.conf.all.accept_redirects = 0

	# Ignore ICMP redirects
	net.ipv4.conf.default.accept_redirects = 0

	# Ignore ICMP redirects from non-GW hosts
	net.ipv4.conf.all.secure_redirects = 1

	# Ignore ICMP redirects from non-GW hosts
	net.ipv4.conf.default.secure_redirects = 1

	# Don't allow traffic between networks or act as a router
	net.ipv4.ip_forward = 0

	# Don't allow traffic between networks or act as a router
	net.ipv4.conf.all.send_redirects = 0

	# Don't allow traffic between networks or act as a router
	net.ipv4.conf.default.send_redirects = 0

	# Reverse path filtering - IP spoofing protection
	net.ipv4.conf.all.rp_filter = 1

	# Reverse path filtering - IP spoofing protection
	net.ipv4.conf.default.rp_filter = 1

	# Ignore ICMP broadcasts to avoid participating in Smurf attacks
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Ignore bad ICMP errors
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Log spoofed, source-routed, and redirect packets
	net.ipv4.conf.all.log_martians = 1

	# Log spoofed, source-routed, and redirect packets
	net.ipv4.conf.default.log_martians = 1

	# Implement RFC 1337 fix
	net.ipv4.tcp_rfc1337 = 1

	# Randomize addresses of mmap base, heap, stack and VDSO page
	kernel.randomize_va_space = 2

	# Provide protection from ToCToU races
	fs.protected_hardlinks=1

	# Provide protection from ToCToU races
	fs.protected_symlinks=1

	# Make locating kernel addresses more difficult
	kernel.kptr_restrict=1

	# Set ptrace protections
	kernel.yama.ptrace_scope=1

	# Set perf only available to root
	kernel.perf_event_paranoid=2