Work_Archive/ToolDisks_ISO-Main
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
main
ToolDisks_ISO-Main/config/includes.chroot/etc/sysctl.d/custom.conf

169 lines
7.1 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
### SYSCTL CONFIG ##############################################################
### NETWORKING
# Disable packet forwarding (we are not a router)
net.ipv4.ip_forward = 0
# Disable sending redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
# Disable IPv6
net.ipv6.conf.all.disable_ipv6 = 1
# Disable IPv6 traffic forwarding.
net.ipv6.conf.all.forwarding = 0
# Limit configuration information disclosed by IPv6
# Ignore Router Advertisements on IPv6
net.ipv6.conf.all.accept_ra = 0
# Ignore Router Solicitations on IPv6
net.ipv6.conf.all.router_solicitations = 0
# TODO better documentation
net.ipv6.conf.all.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.dad_transmits = 0
net.ipv6.conf.all.max_addresses = 1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
# 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP'd IP out that interface (therefore you must use source based routing for this to work). In other words it allows control of which cards (usually 1) will respond to an arp request.
# 0 - (default) The kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load- balancing, does this behaviour cause problems.
net.ipv4.conf.all.rp_filter = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
# Ignore any ICMP ECHO requests (ping)
net.ipv4.icmp_echo_ignore_all = 1
# Ignore all ICMP ECHO and TIMESTAMP requests received vai broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Limit the amount of traffic the system uses for ICMP.
net.ipv4.icmp_ratelimit = 100
# Adjust the ICMP ratelimit to include ping, dst unreachable, source quench, ime exceed, param problem, timestamp reply, information reply
net.ipv4.icmp_ratemask = 88089
# There is no reason to accept bogus error responses from ICMP, so ignore them instead.
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Disable TCP window scaling (disabled)
# net.ipv4.tcp_window_scaling = 0
# Turn off TCP SACK
# Selective ACK computes/sends more precises ACKs and may be used for high-delay links
# SACK allows an attacker to force the machine to keep/process long/complex retransmission queues (possible DoS)
net.ipv4.tcp_sack = 0
# Turn off TCP timestamps
# Protect against wrapping sequence numbers at gigabit speeds
net.ipv4.tcp_timestamps = 0
# Don't relay BOOTP
net.ipv4.conf.all.bootp_relay = 0
# Enable TCP SYN Cookies (SYN flood Protection)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
# Define restrictions for announcing the local source IP address from IP packets in ARP requests sent on interface
# 0 - (default) Use any local address, configured on any interface
# 1 - Try to avoid local addresses that are not in the target's subnet for this interface.
# 2 - Always use the best local address for this target.
net.ipv4.conf.all.arp_announce = 2
# Define mode for sending replies in response to received ARP requests
# 0 - (default): reply for any local target IP address, configured on any interface
# 1 - reply only if the target IP address is local address configured on the incoming interface
# 2 - reply only if the target IP address is local address configured on the incoming interface AND is part of the sender's IP subnet
# 3 - do not reply for local addresses configured with scope host, only resolutions for global and link addresses are replied
# 4-7 - reserved
# 8 - never reply
net.ipv4.conf.all.arp_ignore = 1
# Define mode for notification of address and device changes.
# 0 - (default): do nothing
# 1 - Generate gratuitous arp requests when device is brought up or hardware address changes.
# net.ipv4.conf.all.arp_notify = 0
# Define behavior when receiving gratuitous ARP frames whose IP is not already present in the ARP table
# 0 - don't create new entries in the ARP table
# 1 - create new entries in the ARP table
# net.ipv4.conf.all.arp_accept = 0
# Don't proxy ARP for anyone
net.ipv4.conf.all.proxy_arp = 0
### MEMORY/SWAP
# Do not swap unless necessary
vm.swappiness = 10
# Prefer caching pages over inodes/dentries
vm.vfs_cache_pressure = 150
# The kernel flusher threads will periodically wake up and write `old data out to disk.
# This tunable expresses the interval between those wakeups, in 100ths of a second.
# vm.dirty_writeback_centisecs = 500
# increase the limit on the number of watches that can be created per real user ID
# fs.inotify.max_user_watches = 524288
### MISC SECURITY
# Disable the magic-sysrq key
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
kernel.core_uses_pid = 1
# Prevent core dumps from SUID processes. These are usually only needed by developers and may contain sensitive information.
fs.suid_dumpable = 0
# Restrict exposing kernel addresses via /proc and other interfaces e.g.
# /proc/kallsyms, /proc/modules, etc) A value of "0" allows all users to
# see the kernel addresses. A value of "1" limits visibility to the root
# user, and "2" blocks even the root user.
kernel.kptr_restrict = 1
# The PTRACE system is used for debugging. With it, a single user process
# can attach to any other dumpable process owned by the same user. In the
# case of malicious software, it is possible to use PTRACE to access
# credentials that exist in memory (re-using existing SSH connections,
# extracting GPG agent information, etc).
# A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits
# PTRACE only to direct child processes (e.g. "gdb name-of-program" and
# "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID"
# do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so
# "sudo strace -fp $PID" will work as before. For more details see:
# https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace
# For applications launching crash handlers that need PTRACE, exceptions can
# be registered by the debugee by declaring in the segfault handler
# specifically which process will be using PTRACE on the debugee:
# prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0);
# In general, PTRACE is not needed for the average running Ubuntu system.
# To that end, the default is to set the PTRACE scope to "1". This value
# may not be appropriate for developers or servers with only admin accounts.
kernel.yama.ptrace_scope = 1
Reference in New Issue View Git Blame Copy Permalink