@@ -52,8 +52,8 @@ curl -sSL akas.io/sysctl -o sysctl.conf
5252# Name: K4YT3X Hardened sysctl Configuration
5353# Author: K4YT3X
5454# Date Created: October 5, 2020
55- # Last Updated: October 5 , 2020
56- # Version: 1.0
55+ # Last Updated: October 6 , 2020
56+ # Version: 1.1
5757
5858# Licensed under the GNU General Public License Version 3 (GNU GPL v3),
5959# available at: https://www.gnu.org/licenses/gpl-3.0.txt
@@ -93,6 +93,18 @@ kernel.kptr_restrict = 2
9393# - 3: disables ptrace completely, reboot is required to re-enable ptrace
9494kernel.yama.ptrace_scope = 3
9595
96+ # restrict kernel logs to root only
97+ kernel.dmesg_restrict = 1
98+
99+ # restrict BPF JIT compiler to root only
100+ kernel.unprivileged_bpf_disabled = 1
101+
102+ # disables kexec as it can be used to livepatch the running kernel
103+ kernel.kexec_load_disabled = 1
104+
105+ # disable unprivileged user namespaces to decrease attack surface
106+ kernel.unprivileged_userns_clone = 0
107+
96108# allow for more PIDs
97109kernel.pid_max = 65536
98110
@@ -116,9 +128,37 @@ fs.protected_hardlinks = 1
116128# - the owner of the directory is also the owner of the symbolic link
117129fs.protected_symlinks = 1
118130
131+ # enable extended FIFO protection
132+ fs.protected_fifos = 2
133+
134+ # similar to protected_fifos, but it avoids writes to an attacker-controlled regular file
135+ fs.protected_regular = 2
136+
119137# increase system file descriptor limit
120138fs.file-max = 65535
121139
140+ # ######### Virtualization ##########
141+
142+ # improve mmap ASLR effectness
143+ vm.mmap_rnd_bits =32
144+ vm.mmap_rnd_compat_bits =16
145+
146+ # ######### Networking ##########
147+
148+ # increase the maximum length of processor input queues
149+ net.core.netdev_max_backlog = 250000
150+
151+ # enable BPF JIT hardening for all users
152+ # this trades off performance, but can mitigate JIT spraying
153+ net.core.bpf_jit_harden = 2
154+
155+ # increase TCP max buffer size setable using setsockopt()
156+ # net.core.rmem_max = 8388608
157+ # net.core.wmem_max = 8388608
158+ # net.core.rmem_default = 8388608
159+ # net.core.wmem_default = 8388608
160+ # net.core.optmem_max = 8388608
161+
122162# ######### IPv4 Networking ##########
123163
124164# enable BBR congestion control
@@ -147,32 +187,43 @@ net.ipv4.conf.default.rp_filter = 1
147187net.ipv4.conf.all.rp_filter = 1
148188
149189# log packets with impossible addresses to kernel log
150- net.ipv4.conf.all.log_martians = 1
151190net.ipv4.conf.default.log_martians = 1
191+ net.ipv4.conf.all.log_martians = 1
152192
153193# do not accept ICMP redirect messages
154194net.ipv4.conf.default.accept_redirects = 0
155- net.ipv4.conf.all.accept_redirects = 0
156195net.ipv4.conf.default.secure_redirects = 0
196+ net.ipv4.conf.all.accept_redirects = 0
157197net.ipv4.conf.all.secure_redirects = 0
158198
159199# disable sending and receiving of shared media redirects
160200# this setting overwrites net.ipv4.conf.all.secure_redirects
161201# refer to RFC1620
202+ net.ipv4.conf.default.shared_media = 0
162203net.ipv4.conf.all.shared_media = 0
163204
164- # ignore all ICMP ECHO and TIMESTAMP requests sent to broadcast/multicast
165- net.ipv4.icmp_echo_ignore_broadcasts = 1
166-
167- # ignore bad ICMP errors
168- net.ipv4.icmp_ignore_bogus_error_responses = 1
169-
170205# always use the best local address for announcing local IP via ARP
206+ net.ipv4.conf.default.arp_announce = 2
171207net.ipv4.conf.all.arp_announce = 2
172208
173209# reply only if the target IP address is local address configured on the incoming interface
210+ net.ipv4.conf.default.arp_ignore = 1
174211net.ipv4.conf.all.arp_ignore = 1
175212
213+ # drop Gratuitous ARP frames to prevent ARP poisoning
214+ # this can cause issues when ARP proxies are used in the network
215+ net.ipv4.conf.default.drop_gratuitous_arp = 1
216+ net.ipv4.conf.all.drop_gratuitous_arp = 1
217+
218+ # ignore all ICMP echo requests
219+ # net.ipv4.icmp_echo_ignore_all = 1
220+
221+ # ignore all ICMP echo and timestamp requests sent to broadcast/multicast
222+ net.ipv4.icmp_echo_ignore_broadcasts = 1
223+
224+ # ignore bad ICMP errors
225+ net.ipv4.icmp_ignore_bogus_error_responses = 1
226+
176227# mitigate TIME-WAIT Assassination hazards in TCP
177228# refer to RFC1337
178229net.ipv4.tcp_rfc1337 = 1
@@ -187,49 +238,57 @@ net.ipv4.ip_local_port_range = 2000 65000
187238# disable TCP timestamps for better CPU utilization
188239net.ipv4.tcp_timestamps = 0
189240
190- # enable TCP selective ACKs for better throughput
191- net.ipv4.tcp_sack = 1
241+ # enabling SACK can increase the throughput
242+ # but SACK is commonly exploited and rarely used
243+ net.ipv4.tcp_sack = 0
192244
193245# divide socket buffer evenly between TCP window size and application
194246net.ipv4.tcp_adv_win_scale = 1
195247
196- # increase the maximum length of processor input queues
197- net.core.netdev_max_backlog = 250000
198-
199248# increase memory thresholds to prevent packet dropping
200249# net.ipv4.tcp_rmem = 4096 87380 8388608
201250# net.ipv4.tcp_wmem = 4096 87380 8388608
202251
203- # increase TCP max buffer size setable using setsockopt()
204- # net.core.rmem_max = 8388608
205- # net.core.wmem_max = 8388608
206- # net.core.rmem_default = 8388608
207- # net.core.wmem_default = 8388608
208- # net.core.optmem_max = 8388608
209-
210252# ######### IPv6 Networking ##########
211253
212254# disallow IPv6 packet forwarding
255+ net.ipv6.conf.default.forwarding = 0
213256net.ipv6.conf.all.forwarding = 0
214257
215258# number of Router Solicitations to send until assuming no routers are present
216259net.ipv6.conf.default.router_solicitations = 0
260+ net.ipv6.conf.all.router_solicitations = 0
217261
218262# do not accept Router Preference from RA
219263net.ipv6.conf.default.accept_ra_rtr_pref = 0
264+ net.ipv6.conf.all.accept_ra_rtr_pref = 0
220265
221266# learn prefix information in router advertisement
222267net.ipv6.conf.default.accept_ra_pinfo = 0
268+ net.ipv6.conf.all.accept_ra_pinfo = 0
223269
224270# setting controls whether the system will accept Hop Limit settings from a router advertisement
225271net.ipv6.conf.default.accept_ra_defrtr = 0
272+ net.ipv6.conf.all.accept_ra_defrtr = 0
226273
227274# router advertisements can cause the system to assign a global unicast address to an interface
228275net.ipv6.conf.default.autoconf = 0
276+ net.ipv6.conf.all.autoconf = 0
229277
230278# number of neighbor solicitations to send out per address
231279net.ipv6.conf.default.dad_transmits = 0
280+ net.ipv6.conf.all.dad_transmits = 0
232281
233282# number of global unicast IPv6 addresses can be assigned to each interface
234283net.ipv6.conf.default.max_addresses = 1
284+ net.ipv6.conf.all.max_addresses = 1
285+
286+ # enable IPv6 Privacy Extensions (RFC3041) and prefer the temporary address
287+ net.ipv6.conf.default.use_tempaddr = 2
288+ net.ipv6.conf.all.use_tempaddr = 2
289+
290+ # ignore all ICMPv6 echo requests
291+ # net.ipv6.icmp.echo_ignore_all = 1
292+ # net.ipv6.icmp.echo_ignore_anycast = 1
293+ # net.ipv6.icmp.echo_ignore_multicast = 1
235294```
0 commit comments