Created
August 16, 2017 10:13
-
-
Save jstangroome/be4bee805c97063c28869ff4d636ed26 to your computer and use it in GitHub Desktop.
/etc/sysctl.d/99-gce.conf from Google Compute Engine source image ubuntu-1604-xenial-v20170811
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Requirements from Google. Documented at: | |
# https://developers.google.com/compute/docs/images#buildingimage | |
# Prevent users from allocating low virtual memory | |
vm.mmap_min_addr = 65536 | |
# enables syn flood protection | |
net.ipv4.tcp_syncookies = 1 | |
# ignores source-routed packets | |
net.ipv4.conf.all.accept_source_route = 0 | |
# ignores source-routed packets | |
net.ipv4.conf.default.accept_source_route = 0 | |
# ignores ICMP redirects | |
net.ipv4.conf.all.accept_redirects = 0 | |
# ignores ICMP redirects | |
net.ipv4.conf.default.accept_redirects = 0 | |
# ignores ICMP redirects from non-GW hosts | |
net.ipv4.conf.all.secure_redirects = 1 | |
# ignores ICMP redirects from non-GW hosts | |
net.ipv4.conf.default.secure_redirects = 1 | |
# don't allow traffic between networks or act as a router | |
net.ipv4.ip_forward = 0 | |
# don't allow traffic between networks or act as a router | |
net.ipv4.conf.all.send_redirects = 0 | |
# don't allow traffic between networks or act as a router | |
net.ipv4.conf.default.send_redirects = 0 | |
# reverse path filtering - IP spoofing protection | |
net.ipv4.conf.all.rp_filter = 1 | |
# reverse path filtering - IP spoofing protection | |
net.ipv4.conf.default.rp_filter = 1 | |
# reverse path filtering - IP spoofing protection | |
net.ipv4.conf.default.rp_filter = 1 | |
# ignores ICMP broadcasts to avoid participating in Smurf attacks | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
# ignores bad ICMP errors | |
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
# logs spoofed, source-routed, and redirect packets | |
net.ipv4.conf.all.log_martians = 1 | |
# log spoofed, source-routed, and redirect packets | |
net.ipv4.conf.default.log_martians = 1 | |
# implements RFC 1337 fix | |
net.ipv4.tcp_rfc1337 = 1 | |
# randomizes addresses of mmap base, heap, stack and VDSO page | |
kernel.randomize_va_space = 2 | |
# provides protection from ToCToU races | |
fs.protected_hardlinks=1 | |
# provides protection from ToCToU races | |
fs.protected_symlinks=1 | |
# makes locating kernel addresses more difficult | |
kernel.kptr_restrict=1 | |
# set ptrace protections | |
kernel.yama.ptrace_scope=1 | |
# set perf only available to root | |
kernel.perf_event_paranoid=2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment