mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
73 lines
3.3 KiB
Diff
73 lines
3.3 KiB
Diff
|
From 104095f3a7590ccbd60f2b6dc4fc5242198469c5 Mon Sep 17 00:00:00 2001
|
||
|
From: Tad <tad@spotco.us>
|
||
|
Date: Wed, 28 Jun 2017 08:03:36 -0400
|
||
|
Subject: [PATCH] Harden IPv4/6
|
||
|
|
||
|
Credit: https://serverfault.com/a/811826
|
||
|
Credit: https://linux-audit.com/linux-security-guide-for-hardening-ipv6/
|
||
|
Credit: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
|
||
|
|
||
|
Change-Id: I6941a9b418112ffeb68b4749b803b6e5558db039
|
||
|
---
|
||
|
rootdir/init.rc | 44 +++++++++++++++++++++++++++++++++++++++++---
|
||
|
1 file changed, 41 insertions(+), 3 deletions(-)
|
||
|
|
||
|
diff --git a/rootdir/init.rc b/rootdir/init.rc
|
||
|
index da2071b15..5676edbff 100644
|
||
|
--- a/rootdir/init.rc
|
||
|
+++ b/rootdir/init.rc
|
||
|
@@ -141,9 +141,47 @@ on init
|
||
|
# set fwmark on accepted sockets
|
||
|
write /proc/sys/net/ipv4/tcp_fwmark_accept 1
|
||
|
|
||
|
- # disable icmp redirects
|
||
|
- write /proc/sys/net/ipv4/conf/all/accept_redirects 0
|
||
|
- write /proc/sys/net/ipv6/conf/all/accept_redirects 0
|
||
|
+ # network hardening
|
||
|
+ write /proc/net/net/ipv4/conf/all/accept_redirects 0
|
||
|
+ write /proc/net/net/ipv4/conf/all/accept_source_route 0
|
||
|
+ write /proc/net/net/ipv4/conf/all/log_martians 1
|
||
|
+ write /proc/net/net/ipv4/conf/all/rp_filter 1
|
||
|
+ write /proc/net/net/ipv4/conf/all/secure_redirects 0
|
||
|
+ write /proc/net/net/ipv4/conf/all/send_redirects 0
|
||
|
+ write /proc/net/net/ipv4/conf/default/accept_redirects 0
|
||
|
+ write /proc/net/net/ipv4/conf/default/accept_source_route 0
|
||
|
+ write /proc/net/net/ipv4/conf/default/log_martians 1
|
||
|
+ write /proc/net/net/ipv4/conf/default/rp_filter 1
|
||
|
+ write /proc/net/net/ipv4/conf/default/secure_redirects 0
|
||
|
+ write /proc/net/net/ipv4/conf/default/send_redirects 0
|
||
|
+ write /proc/net/net/ipv4/icmp_echo_ignore_all 0
|
||
|
+ write /proc/net/net/ipv4/icmp_echo_ignore_broadcasts 1
|
||
|
+ write /proc/net/net/ipv4/icmp_errors_use_inbound_ifaddr 0
|
||
|
+ write /proc/net/net/ipv4/icmp_ignore_bogus_error_responses 1
|
||
|
+ write /proc/net/net/ipv4/ip_forward 0
|
||
|
+ write /proc/net/net/ipv4/tcp_rfc1337 1
|
||
|
+ write /proc/net/net/ipv4/tcp_syncookies 1
|
||
|
+ write /proc/net/net/ipv4/tcp_timestamps 1
|
||
|
+ write /proc/net/net/ipv6/conf/all/accept_ra_defrtr 0
|
||
|
+ write /proc/net/net/ipv6/conf/all/accept_ra_pinfo 0
|
||
|
+ write /proc/net/net/ipv6/conf/all/accept_ra_rtr_pref 0
|
||
|
+ write /proc/net/net/ipv6/conf/all/accept_redirects 0
|
||
|
+ write /proc/net/net/ipv6/conf/all/autoconf 0
|
||
|
+ write /proc/net/net/ipv6/conf/all/dad_transmits 0
|
||
|
+ write /proc/net/net/ipv6/conf/all/max_addresses 1
|
||
|
+ write /proc/net/net/ipv6/conf/all/router_solicitations 0
|
||
|
+ write /proc/net/net/ipv6/conf/all/use_tempaddr 2
|
||
|
+ write /proc/net/net/ipv6/conf/default/accept_ra_defrtr 0
|
||
|
+ write /proc/net/net/ipv6/conf/default/accept_ra_pinfo 0
|
||
|
+ write /proc/net/net/ipv6/conf/default/accept_ra_rtr_pref 0
|
||
|
+ write /proc/net/net/ipv6/conf/default/accept_redirects 0
|
||
|
+ write /proc/net/net/ipv6/conf/default/autoconf 0
|
||
|
+ write /proc/net/net/ipv6/conf/default/dad_transmits 0
|
||
|
+ write /proc/net/net/ipv6/conf/default/max_addresses 1
|
||
|
+ write /proc/net/net/ipv6/conf/default/router_solicitations 0
|
||
|
+ write /proc/net/net/ipv6/conf/default/use_tempaddr 2
|
||
|
+ write /proc/net/net/netfilter/nf_conntrack_max 500000
|
||
|
+ write /proc/net/net/netfilter/nf_conntrack_tcp_loose 0
|
||
|
|
||
|
# Create cgroup mount points for process groups
|
||
|
mkdir /dev/cpuctl
|
||
|
--
|
||
|
2.13.2
|
||
|
|