mirror of
https://github.com/tommytran732/Linux-Setup-Scripts
synced 2024-12-22 14:52:05 -05:00
Use custom sysctl
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
acf3e6ae11
commit
5e58a06876
110
etc/sysctl.d/99-server.conf
Normal file
110
etc/sysctl.d/99-server.conf
Normal file
@ -0,0 +1,110 @@
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
dev.tty.ldisc_autoload = 0
|
||||
|
||||
# https://access.redhat.com/solutions/1985633
|
||||
# Seems dangerous
|
||||
fs.binfmt_misc.status = 0
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
||||
# Enable fs.protected sysctls
|
||||
fs.protected_regular = 2
|
||||
fs.protected_fifos = 2
|
||||
fs.protected_symlinks = 1
|
||||
fs.protected_hardlinks = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
|
||||
# Disable coredumps
|
||||
# For additional safety, disable coredumps using ulimit and systemd too.
|
||||
kernel.core_pattern=|/bin/false
|
||||
fs.suid_dumpable = 0
|
||||
|
||||
# Restrict dmesg to CAP_SYS_LOG
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
kernel.dmesg_restrict = 1
|
||||
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
# Restrict access to /proc
|
||||
kernel.kptr_restrict = 2
|
||||
|
||||
# Not needed, I don't do livepatching and reboot regularly.
|
||||
# On Ubuntu LTS just sed this to be 0 if you use livepatch.
|
||||
kernel.kexec_load_disabled = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
# Basically, restrict eBPF to CAP_BPF.
|
||||
kernel.unprivileged_bpf_disabled = 1
|
||||
net.core.bpf_jit_harden = 2
|
||||
|
||||
# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it
|
||||
kernel.unprivileged_userns_clone = 0
|
||||
|
||||
# Needed for gVisor, which is used on almost all of my servers
|
||||
kernel.yama.ptrace_scope = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
# Restrict performance events from unprivileged users as much as possible.
|
||||
# We are using 4 here, since Ubuntu supports such a level.
|
||||
# Official Linux kernel documentation only says >= so it probably will work.
|
||||
kernel.perf_event_paranoid = 4
|
||||
|
||||
# https://github.com/containerd/containerd/issues/9048
|
||||
# Disable io_uring, a very sus feature.
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel_io_uring_disable = 2
|
||||
|
||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
|
||||
# Not running a router here, so no redirects
|
||||
net.ipv4.conf.*.send_redirects = 0
|
||||
net.ipv4.conf.*.accept_redirects = 0
|
||||
net.ipv6.conf.*.accept_redirects = 0
|
||||
|
||||
# Check if the source of the IP address is reachable through the same interface it came in
|
||||
# Basic IP spoofing mitigation
|
||||
net.ipv4.conf.*.rp_filter=1
|
||||
|
||||
# Respond to ICMP
|
||||
net.ipv4.icmp_echo_ignore_all=1
|
||||
net.ipv6.icmp.echo_ignore_all=1
|
||||
|
||||
# Enable IP Forwarding
|
||||
# Almost all of my servers run Docker anyways, and Docker absolutely requires this.
|
||||
net.ipv4.ip_forward = 1
|
||||
net.ipv6.conf.all.forwarding = 1
|
||||
|
||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
|
||||
# Ignore bogus icmp response
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Protection against time-wait assasination attacks
|
||||
net.ipv4.tcp_rfc1337 = 1
|
||||
|
||||
# Enable SYN cookies
|
||||
# Basic SYN flood mitigation
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
|
||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
# Make sure TCP timestamp is enabled
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
|
||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
# Disable TCP SACK
|
||||
# We have good networking :)
|
||||
net.ipv4.tcp_sack = 0
|
||||
|
||||
# No SACK, therefore no Duplicated SACK
|
||||
net.ipv4.tcp_dsack = 0
|
||||
|
||||
# Improve ALSR effectiveness for mmap
|
||||
vm.mmap_rnd_bits = 32
|
||||
vm.mmap_rnd_compat_bits = 16
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Restrict userfaultfd to CAP_SYS_PTRACE
|
||||
# https://bugs.archlinux.org/task/62780
|
||||
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
|
||||
# probably not used in the real world at all.
|
||||
vm.unprivileged_userfaultfd = 0
|
110
etc/sysctl.d/99-workstation.conf
Normal file
110
etc/sysctl.d/99-workstation.conf
Normal file
@ -0,0 +1,110 @@
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
dev.tty.ldisc_autoload = 0
|
||||
|
||||
# https://access.redhat.com/solutions/1985633
|
||||
# Seems dangerous
|
||||
fs.binfmt_misc.status = 0
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
||||
# Enable fs.protected sysctls
|
||||
fs.protected_regular = 2
|
||||
fs.protected_fifos = 2
|
||||
fs.protected_symlinks = 1
|
||||
fs.protected_hardlinks = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
|
||||
# Disable coredumps
|
||||
# For additional safety, disable coredumps using ulimit and systemd too.
|
||||
kernel.core_pattern=|/bin/false
|
||||
fs.suid_dumpable = 0
|
||||
|
||||
# Restrict dmesg to CAP_SYS_LOG
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
kernel.dmesg_restrict = 1
|
||||
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
# Restrict access to /proc
|
||||
kernel.kptr_restrict = 2
|
||||
|
||||
# Not needed, I don't do livepatching and reboot regularly.
|
||||
# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
|
||||
kernel.kexec_load_disabled = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
# Basically, restrict eBPF to CAP_BPF.
|
||||
kernel.unprivileged_bpf_disabled = 1
|
||||
net.core.bpf_jit_harden = 2
|
||||
|
||||
# Needed for Flatpak and Bubblewrap
|
||||
kernel.unprivileged_userns_clone = 1
|
||||
|
||||
# Disable ptrace. Not needed on workstations.
|
||||
kernel.yama.ptrace_scope = 3
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
# Restrict performance events from unprivileged users as much as possible.
|
||||
# We are using 4 here, since Ubuntu supports such a level.
|
||||
# Official Linux kernel documentation only says >= so it probably will work.
|
||||
kernel.perf_event_paranoid = 4
|
||||
|
||||
# https://github.com/containerd/containerd/issues/9048
|
||||
# Disable io_uring, a very sus feature.
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel_io_uring_disable = 2
|
||||
|
||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
|
||||
# Not running a router here, so no redirects
|
||||
net.ipv4.conf.*.send_redirects = 0
|
||||
net.ipv4.conf.*.accept_redirects = 0
|
||||
net.ipv6.conf.*.accept_redirects = 0
|
||||
|
||||
# Check if the source of the IP address is reachable through the same interface it came in
|
||||
# Basic IP spoofing mitigation
|
||||
net.ipv4.conf.*.rp_filter=1
|
||||
|
||||
# Do not respond to ICMP
|
||||
net.ipv4.icmp_echo_ignore_all=1
|
||||
net.ipv6.icmp.echo_ignore_all=1
|
||||
|
||||
# Enable IP Forwarding
|
||||
# Needed for VM networking and whatnot.
|
||||
net.ipv4.ip_forward = 1
|
||||
net.ipv6.conf.all.forwarding = 1
|
||||
|
||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
|
||||
# Ignore bogus icmp response
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Protection against time-wait assasination attacks
|
||||
net.ipv4.tcp_rfc1337 = 1
|
||||
|
||||
# Enable SYN cookies
|
||||
# Basic SYN flood mitigation
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
|
||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
# Make sure TCP timestamp is enabled
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
|
||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
# Disable TCP SACK
|
||||
# We have good networking :)
|
||||
net.ipv4.tcp_sack = 0
|
||||
|
||||
# No SACK, therefore no Duplicated SACK
|
||||
net.ipv4.tcp_dsack = 0
|
||||
|
||||
# Improve ALSR effectiveness for mmap
|
||||
vm.mmap_rnd_bits = 32
|
||||
vm.mmap_rnd_compat_bits = 16
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Restrict userfaultfd to CAP_SYS_PTRACE
|
||||
# https://bugs.archlinux.org/task/62780
|
||||
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
|
||||
# probably not used in the real world at all.
|
||||
vm.unprivileged_userfaultfd = 0
|
2
etc/systemd/coredump.conf.d/disable.conf
Normal file
2
etc/systemd/coredump.conf.d/disable.conf
Normal file
@ -0,0 +1,2 @@
|
||||
[Coredump]
|
||||
Storage=none
|
Loading…
Reference in New Issue
Block a user