Created
December 21, 2017 00:59
-
-
Save jermdw/e010ca8f436f3894fbb5029d4518b833 to your computer and use it in GitHub Desktop.
Hardened /etc/sysctl.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Enable syn flood protection | |
net.ipv4.tcp_syncookies = 1 | |
# Ignore source-routed packets | |
net.ipv4.conf.all.accept_source_route = 0 | |
# Ignore source-routed packets | |
net.ipv4.conf.default.accept_source_route = 0 | |
# Ignore ICMP redirects | |
net.ipv4.conf.all.accept_redirects = 0 | |
# Ignore ICMP redirects | |
net.ipv4.conf.default.accept_redirects = 0 | |
# Ignore ICMP redirects from non-GW hosts | |
net.ipv4.conf.all.secure_redirects = 1 | |
# Ignore ICMP redirects from non-GW hosts | |
net.ipv4.conf.default.secure_redirects = 1 | |
# Don't allow traffic between networks or act as a router | |
net.ipv4.ip_forward = 0 | |
# Don't allow traffic between networks or act as a router | |
net.ipv4.conf.all.send_redirects = 0 | |
# Don't allow traffic between networks or act as a router | |
net.ipv4.conf.default.send_redirects = 0 | |
# Reverse path filtering - IP spoofing protection | |
net.ipv4.conf.all.rp_filter = 1 | |
# Reverse path filtering - IP spoofing protection | |
net.ipv4.conf.default.rp_filter = 1 | |
# Ignore ICMP broadcasts to avoid participating in Smurf attacks | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
# Ignore bad ICMP errors | |
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
# Log spoofed, source-routed, and redirect packets | |
net.ipv4.conf.all.log_martians = 1 | |
# Log spoofed, source-routed, and redirect packets | |
net.ipv4.conf.default.log_martians = 1 | |
# Implement RFC 1337 fix | |
net.ipv4.tcp_rfc1337 = 1 | |
# Randomize addresses of mmap base, heap, stack and VDSO page | |
kernel.randomize_va_space = 2 | |
# Provide protection from ToCToU races | |
fs.protected_hardlinks=1 | |
# Provide protection from ToCToU races | |
fs.protected_symlinks=1 | |
# Make locating kernel addresses more difficult | |
kernel.kptr_restrict=1 | |
# Set ptrace protections | |
kernel.yama.ptrace_scope=1 | |
# Set perf only available to root | |
kernel.perf_event_paranoid=2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment