From 104095f3a7590ccbd60f2b6dc4fc5242198469c5 Mon Sep 17 00:00:00 2001 From: Tad Date: Wed, 28 Jun 2017 08:03:36 -0400 Subject: [PATCH] Harden IPv4/6 Credit: https://serverfault.com/a/811826 Credit: https://linux-audit.com/linux-security-guide-for-hardening-ipv6/ Credit: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/ Change-Id: I6941a9b418112ffeb68b4749b803b6e5558db039 --- rootdir/init.rc | 44 +++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-) diff --git a/rootdir/init.rc b/rootdir/init.rc index da2071b15..5676edbff 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -141,9 +141,47 @@ on init # set fwmark on accepted sockets write /proc/sys/net/ipv4/tcp_fwmark_accept 1 - # disable icmp redirects - write /proc/sys/net/ipv4/conf/all/accept_redirects 0 - write /proc/sys/net/ipv6/conf/all/accept_redirects 0 + # network hardening + write /proc/net/net/ipv4/conf/all/accept_redirects 0 + write /proc/net/net/ipv4/conf/all/accept_source_route 0 + write /proc/net/net/ipv4/conf/all/log_martians 1 + write /proc/net/net/ipv4/conf/all/rp_filter 1 + write /proc/net/net/ipv4/conf/all/secure_redirects 0 + write /proc/net/net/ipv4/conf/all/send_redirects 0 + write /proc/net/net/ipv4/conf/default/accept_redirects 0 + write /proc/net/net/ipv4/conf/default/accept_source_route 0 + write /proc/net/net/ipv4/conf/default/log_martians 1 + write /proc/net/net/ipv4/conf/default/rp_filter 1 + write /proc/net/net/ipv4/conf/default/secure_redirects 0 + write /proc/net/net/ipv4/conf/default/send_redirects 0 + write /proc/net/net/ipv4/icmp_echo_ignore_all 0 + write /proc/net/net/ipv4/icmp_echo_ignore_broadcasts 1 + write /proc/net/net/ipv4/icmp_errors_use_inbound_ifaddr 0 + write /proc/net/net/ipv4/icmp_ignore_bogus_error_responses 1 + write /proc/net/net/ipv4/ip_forward 0 + write /proc/net/net/ipv4/tcp_rfc1337 1 + write /proc/net/net/ipv4/tcp_syncookies 1 + write /proc/net/net/ipv4/tcp_timestamps 1 + write /proc/net/net/ipv6/conf/all/accept_ra_defrtr 0 + write /proc/net/net/ipv6/conf/all/accept_ra_pinfo 0 + write /proc/net/net/ipv6/conf/all/accept_ra_rtr_pref 0 + write /proc/net/net/ipv6/conf/all/accept_redirects 0 + write /proc/net/net/ipv6/conf/all/autoconf 0 + write /proc/net/net/ipv6/conf/all/dad_transmits 0 + write /proc/net/net/ipv6/conf/all/max_addresses 1 + write /proc/net/net/ipv6/conf/all/router_solicitations 0 + write /proc/net/net/ipv6/conf/all/use_tempaddr 2 + write /proc/net/net/ipv6/conf/default/accept_ra_defrtr 0 + write /proc/net/net/ipv6/conf/default/accept_ra_pinfo 0 + write /proc/net/net/ipv6/conf/default/accept_ra_rtr_pref 0 + write /proc/net/net/ipv6/conf/default/accept_redirects 0 + write /proc/net/net/ipv6/conf/default/autoconf 0 + write /proc/net/net/ipv6/conf/default/dad_transmits 0 + write /proc/net/net/ipv6/conf/default/max_addresses 1 + write /proc/net/net/ipv6/conf/default/router_solicitations 0 + write /proc/net/net/ipv6/conf/default/use_tempaddr 2 + write /proc/net/net/netfilter/nf_conntrack_max 500000 + write /proc/net/net/netfilter/nf_conntrack_tcp_loose 0 # Create cgroup mount points for process groups mkdir /dev/cpuctl -- 2.13.2