Created
February 10, 2020 15:22
-
-
Save madduci/cec4052750c8949c307868260f851548 to your computer and use it in GitHub Desktop.
Linux kernel hardening: Kernel parameters with sysctl
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ### | |
| ### SYSTEM SECURITY ### | |
| ### Inspired from https://www.kmotoko.com/articles/linux-hardening-kernel-parameters-with-sysctl/ | |
| ### | |
| # Enable address Space Randomization | |
| kernel.randomize_va_space = 2 | |
| # Restrict core dumps | |
| fs.suid_dumpable = 0 | |
| # Hide kernel pointers | |
| kernel.kptr_restrict = 1 | |
| # Restrict access to kernel logs | |
| kernel.dmesg_restrict = 1 | |
| # Restrict ptrace scope | |
| kernel.yama.ptrace_scope = 1 | |
| ### | |
| ### Deprecated/Not-in-use keys for security | |
| ### | |
| # The contents of /proc/<pid>/maps and smaps files are only visible to | |
| # readers that are allowed to ptrace() the process | |
| # kernel.maps_protect = 1 | |
| # Enable ExecShield | |
| # kernel.exec-shield = 1 | |
| ### | |
| ### NETWORK SECURITY ### | |
| ### | |
| # Harden BPF JIT compiler | |
| net.core.bpf_jit_harden = 1 | |
| # Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) | |
| net.ipv4.tcp_syncookies = 1 | |
| net.ipv4.tcp_syn_retries = 2 | |
| net.ipv4.tcp_synack_retries = 2 | |
| net.ipv4.tcp_max_syn_backlog = 4096 | |
| # Disable packet forwarding | |
| net.ipv4.ip_forward = 0 | |
| net.ipv4.conf.all.forwarding = 0 | |
| net.ipv4.conf.default.forwarding = 0 | |
| net.ipv6.conf.all.forwarding = 0 | |
| net.ipv6.conf.default.forwarding = 0 | |
| # Enable IP spoofing protection | |
| # Turn on source route verification | |
| net.ipv4.conf.all.rp_filter = 1 | |
| net.ipv4.conf.default.rp_filter = 1 | |
| # Disable Redirect Acceptance | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| net.ipv6.conf.all.accept_redirects = 0 | |
| net.ipv6.conf.default.accept_redirects = 0 | |
| # Disable Redirect Sending | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| # Disable IP source routing | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| net.ipv6.conf.all.accept_source_route = 0 | |
| net.ipv6.conf.default.accept_source_route = 0 | |
| # Don't relay bootp | |
| net.ipv4.conf.all.bootp_relay = 0 | |
| # Disable proxy ARP | |
| net.ipv4.conf.all.proxy_arp = 0 | |
| net.ipv4.conf.all.arp_ignore = 1 | |
| net.ipv4.conf.all.arp_announce = 2 | |
| # Mitigate time-wait assassination hazards in TCP | |
| net.ipv4.tcp_rfc1337 = 1 | |
| # Enable bad error message Protection | |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| # Enable ignoring broadcasts request | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Ensure that subsequent connections use the new values | |
| # PUT TO THE END | |
| net.ipv4.route.flush = 1 | |
| net.ipv6.route.flush = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment