Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-07-11 05:42:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
219ee0ae4b
DivestOS/Patches/LineageOS-14.1/android_system_core/0002-Harden_Network.patch
Tad 82be2c12f5 Improved network hardening
2017-06-28 08:20:24 -04:00

73 lines
3.3 KiB
Diff
Raw Blame History

From 104095f3a7590ccbd60f2b6dc4fc5242198469c5 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Wed, 28 Jun 2017 08:03:36 -0400
Subject: [PATCH] Harden IPv4/6
Credit: https://serverfault.com/a/811826
Credit: https://linux-audit.com/linux-security-guide-for-hardening-ipv6/
Credit: https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
Change-Id: I6941a9b418112ffeb68b4749b803b6e5558db039
---
rootdir/init.rc | 44 +++++++++++++++++++++++++++++++++++++++++---
1 file changed, 41 insertions(+), 3 deletions(-)
diff --git a/rootdir/init.rc b/rootdir/init.rc
index da2071b15..5676edbff 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -141,9 +141,47 @@ on init
# set fwmark on accepted sockets
write /proc/sys/net/ipv4/tcp_fwmark_accept 1
- # disable icmp redirects
- write /proc/sys/net/ipv4/conf/all/accept_redirects 0
- write /proc/sys/net/ipv6/conf/all/accept_redirects 0
+ # network hardening
+ write /proc/net/net/ipv4/conf/all/accept_redirects 0
+ write /proc/net/net/ipv4/conf/all/accept_source_route 0
+ write /proc/net/net/ipv4/conf/all/log_martians 1
+ write /proc/net/net/ipv4/conf/all/rp_filter 1
+ write /proc/net/net/ipv4/conf/all/secure_redirects 0
+ write /proc/net/net/ipv4/conf/all/send_redirects 0
+ write /proc/net/net/ipv4/conf/default/accept_redirects 0
+ write /proc/net/net/ipv4/conf/default/accept_source_route 0
+ write /proc/net/net/ipv4/conf/default/log_martians 1
+ write /proc/net/net/ipv4/conf/default/rp_filter 1
+ write /proc/net/net/ipv4/conf/default/secure_redirects 0
+ write /proc/net/net/ipv4/conf/default/send_redirects 0
+ write /proc/net/net/ipv4/icmp_echo_ignore_all 0
+ write /proc/net/net/ipv4/icmp_echo_ignore_broadcasts 1
+ write /proc/net/net/ipv4/icmp_errors_use_inbound_ifaddr 0
+ write /proc/net/net/ipv4/icmp_ignore_bogus_error_responses 1
+ write /proc/net/net/ipv4/ip_forward 0
+ write /proc/net/net/ipv4/tcp_rfc1337 1
+ write /proc/net/net/ipv4/tcp_syncookies 1
+ write /proc/net/net/ipv4/tcp_timestamps 1
+ write /proc/net/net/ipv6/conf/all/accept_ra_defrtr 0
+ write /proc/net/net/ipv6/conf/all/accept_ra_pinfo 0
+ write /proc/net/net/ipv6/conf/all/accept_ra_rtr_pref 0
+ write /proc/net/net/ipv6/conf/all/accept_redirects 0
+ write /proc/net/net/ipv6/conf/all/autoconf 0
+ write /proc/net/net/ipv6/conf/all/dad_transmits 0
+ write /proc/net/net/ipv6/conf/all/max_addresses 1
+ write /proc/net/net/ipv6/conf/all/router_solicitations 0
+ write /proc/net/net/ipv6/conf/all/use_tempaddr 2
+ write /proc/net/net/ipv6/conf/default/accept_ra_defrtr 0
+ write /proc/net/net/ipv6/conf/default/accept_ra_pinfo 0
+ write /proc/net/net/ipv6/conf/default/accept_ra_rtr_pref 0
+ write /proc/net/net/ipv6/conf/default/accept_redirects 0
+ write /proc/net/net/ipv6/conf/default/autoconf 0
+ write /proc/net/net/ipv6/conf/default/dad_transmits 0
+ write /proc/net/net/ipv6/conf/default/max_addresses 1
+ write /proc/net/net/ipv6/conf/default/router_solicitations 0
+ write /proc/net/net/ipv6/conf/default/use_tempaddr 2
+ write /proc/net/net/netfilter/nf_conntrack_max 500000
+ write /proc/net/net/netfilter/nf_conntrack_tcp_loose 0
# Create cgroup mount points for process groups
mkdir /dev/cpuctl
--
2.13.2
Reference in New Issue View Git Blame Copy Permalink