Skip to content

Instantly share code, notes, and snippets.

@jstangroome
Created August 16, 2017 10:13
Show Gist options
  • Save jstangroome/be4bee805c97063c28869ff4d636ed26 to your computer and use it in GitHub Desktop.
Save jstangroome/be4bee805c97063c28869ff4d636ed26 to your computer and use it in GitHub Desktop.
/etc/sysctl.d/99-gce.conf from Google Compute Engine source image ubuntu-1604-xenial-v20170811
# Requirements from Google. Documented at:
# https://developers.google.com/compute/docs/images#buildingimage
# Prevent users from allocating low virtual memory
vm.mmap_min_addr = 65536
# enables syn flood protection
net.ipv4.tcp_syncookies = 1
# ignores source-routed packets
net.ipv4.conf.all.accept_source_route = 0
# ignores source-routed packets
net.ipv4.conf.default.accept_source_route = 0
# ignores ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
# ignores ICMP redirects
net.ipv4.conf.default.accept_redirects = 0
# ignores ICMP redirects from non-GW hosts
net.ipv4.conf.all.secure_redirects = 1
# ignores ICMP redirects from non-GW hosts
net.ipv4.conf.default.secure_redirects = 1
# don't allow traffic between networks or act as a router
net.ipv4.ip_forward = 0
# don't allow traffic between networks or act as a router
net.ipv4.conf.all.send_redirects = 0
# don't allow traffic between networks or act as a router
net.ipv4.conf.default.send_redirects = 0
# reverse path filtering - IP spoofing protection
net.ipv4.conf.all.rp_filter = 1
# reverse path filtering - IP spoofing protection
net.ipv4.conf.default.rp_filter = 1
# reverse path filtering - IP spoofing protection
net.ipv4.conf.default.rp_filter = 1
# ignores ICMP broadcasts to avoid participating in Smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1
# ignores bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
# logs spoofed, source-routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
# log spoofed, source-routed, and redirect packets
net.ipv4.conf.default.log_martians = 1
# implements RFC 1337 fix
net.ipv4.tcp_rfc1337 = 1
# randomizes addresses of mmap base, heap, stack and VDSO page
kernel.randomize_va_space = 2
# provides protection from ToCToU races
fs.protected_hardlinks=1
# provides protection from ToCToU races
fs.protected_symlinks=1
# makes locating kernel addresses more difficult
kernel.kptr_restrict=1
# set ptrace protections
kernel.yama.ptrace_scope=1
# set perf only available to root
kernel.perf_event_paranoid=2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment