### SYSCTL CONFIG ############################################################## ### NETWORKING # Disable packet forwarding (we are not a router) net.ipv4.ip_forward = 0 # Disable sending redirects (we are not a router) net.ipv4.conf.all.send_redirects = 0 # Disable IPv6 net.ipv6.conf.all.disable_ipv6 = 1 # Disable IPv6 traffic forwarding. net.ipv6.conf.all.forwarding = 0 # Limit configuration information disclosed by IPv6 # Ignore Router Advertisements on IPv6 net.ipv6.conf.all.accept_ra = 0 # Ignore Router Solicitations on IPv6 net.ipv6.conf.all.router_solicitations = 0 # TODO better documentation net.ipv6.conf.all.accept_ra_rtr_pref = 0 net.ipv6.conf.all.accept_ra_pinfo = 0 net.ipv6.conf.all.accept_ra_defrtr = 0 net.ipv6.conf.all.autoconf = 0 net.ipv6.conf.all.dad_transmits = 0 net.ipv6.conf.all.max_addresses = 1 # Disable IP source routing net.ipv4.conf.all.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification # 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP'd IP out that interface (therefore you must use source based routing for this to work). In other words it allows control of which cards (usually 1) will respond to an arp request. # 0 - (default) The kernel can respond to arp requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load- balancing, does this behaviour cause problems. net.ipv4.conf.all.rp_filter = 1 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 # Ignore any ICMP ECHO requests (ping) net.ipv4.icmp_echo_ignore_all = 1 # Ignore all ICMP ECHO and TIMESTAMP requests received vai broadcast/multicast net.ipv4.icmp_echo_ignore_broadcasts = 1 # Limit the amount of traffic the system uses for ICMP. net.ipv4.icmp_ratelimit = 100 # Adjust the ICMP ratelimit to include ping, dst unreachable, source quench, ime exceed, param problem, timestamp reply, information reply net.ipv4.icmp_ratemask = 88089 # There is no reason to accept bogus error responses from ICMP, so ignore them instead. net.ipv4.icmp_ignore_bogus_error_responses = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 0 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 15 # Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1800 # Disable TCP window scaling (disabled) # net.ipv4.tcp_window_scaling = 0 # Turn off TCP SACK # Selective ACK computes/sends more precises ACKs and may be used for high-delay links # SACK allows an attacker to force the machine to keep/process long/complex retransmission queues (possible DoS) net.ipv4.tcp_sack = 0 # Turn off TCP timestamps # Protect against wrapping sequence numbers at gigabit speeds net.ipv4.tcp_timestamps = 0 # Don't relay BOOTP net.ipv4.conf.all.bootp_relay = 0 # Enable TCP SYN Cookies (SYN flood Protection) net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks net.ipv4.tcp_max_tw_buckets = 1440000 # Define restrictions for announcing the local source IP address from IP packets in ARP requests sent on interface # 0 - (default) Use any local address, configured on any interface # 1 - Try to avoid local addresses that are not in the target's subnet for this interface. # 2 - Always use the best local address for this target. net.ipv4.conf.all.arp_announce = 2 # Define mode for sending replies in response to received ARP requests # 0 - (default): reply for any local target IP address, configured on any interface # 1 - reply only if the target IP address is local address configured on the incoming interface # 2 - reply only if the target IP address is local address configured on the incoming interface AND is part of the sender's IP subnet # 3 - do not reply for local addresses configured with scope host, only resolutions for global and link addresses are replied # 4-7 - reserved # 8 - never reply net.ipv4.conf.all.arp_ignore = 1 # Define mode for notification of address and device changes. # 0 - (default): do nothing # 1 - Generate gratuitous arp requests when device is brought up or hardware address changes. # net.ipv4.conf.all.arp_notify = 0 # Define behavior when receiving gratuitous ARP frames whose IP is not already present in the ARP table # 0 - don't create new entries in the ARP table # 1 - create new entries in the ARP table # net.ipv4.conf.all.arp_accept = 0 # Don't proxy ARP for anyone net.ipv4.conf.all.proxy_arp = 0 ### MEMORY/SWAP # Do not swap unless necessary vm.swappiness = 10 # Prefer caching pages over inodes/dentries vm.vfs_cache_pressure = 150 # The kernel flusher threads will periodically wake up and write `old’ data out to disk. # This tunable expresses the interval between those wakeups, in 100’ths of a second. # vm.dirty_writeback_centisecs = 500 # increase the limit on the number of watches that can be created per real user ID # fs.inotify.max_user_watches = 524288 ### MISC SECURITY # Disable the magic-sysrq key kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. kernel.core_uses_pid = 1 # Prevent core dumps from SUID processes. These are usually only needed by developers and may contain sensitive information. fs.suid_dumpable = 0 # Restrict exposing kernel addresses via /proc and other interfaces e.g. # /proc/kallsyms, /proc/modules, etc) A value of "0" allows all users to # see the kernel addresses. A value of "1" limits visibility to the root # user, and "2" blocks even the root user. kernel.kptr_restrict = 1 # The PTRACE system is used for debugging. With it, a single user process # can attach to any other dumpable process owned by the same user. In the # case of malicious software, it is possible to use PTRACE to access # credentials that exist in memory (re-using existing SSH connections, # extracting GPG agent information, etc). # A PTRACE scope of "0" is the more permissive mode. A scope of "1" limits # PTRACE only to direct child processes (e.g. "gdb name-of-program" and # "strace -f name-of-program" work, but gdb's "attach" and "strace -fp $PID" # do not). The PTRACE scope is ignored when a user has CAP_SYS_PTRACE, so # "sudo strace -fp $PID" will work as before. For more details see: # https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace # For applications launching crash handlers that need PTRACE, exceptions can # be registered by the debugee by declaring in the segfault handler # specifically which process will be using PTRACE on the debugee: # prctl(PR_SET_PTRACER, debugger_pid, 0, 0, 0); # In general, PTRACE is not needed for the average running Ubuntu system. # To that end, the default is to set the PTRACE scope to "1". This value # may not be appropriate for developers or servers with only admin accounts. kernel.yama.ptrace_scope = 1