security-misc/etc/sysctl.d/tcp_hardening.conf

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.

#### meta start
#### project Kicksecure
#### category networking and security
#### description
## TCP/IP stack hardening

## Protects against time-wait assassination.
## It drops RST packets for sockets in the time-wait state.
net.ipv4.tcp_rfc1337=1

## Disables ICMP redirect acceptance.
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

## Disables ICMP redirect sending.
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

## Ignores ICMP requests.
net.ipv4.icmp_echo_ignore_all=1

## Enables TCP syncookies.
net.ipv4.tcp_syncookies=1

## Disable source routing.
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0

## Enable reverse path filtering to prevent IP spoofing and
## mitigate vulnerabilities such as CVE-2019-14899.
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

#### meta end
copyright / comments 2019-10-07 01:30:56 -04:00			`## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>`
			`## See the file COPYING for copying conditions.`
Create tcp_hardening.conf 2019-05-06 11:45:53 -04:00
copyright / comments 2019-10-07 01:30:56 -04:00			`#### meta start`
comments 2019-10-07 04:25:45 -04:00			`#### project Kicksecure`
copyright / comments 2019-10-07 01:30:56 -04:00			`#### category networking and security`
comments 2019-10-07 04:24:02 -04:00			`#### description`
			`## TCP/IP stack hardening`
copyright / comments 2019-10-07 01:30:56 -04:00
			`## Protects against time-wait assassination.`
			`## It drops RST packets for sockets in the time-wait state.`
Create tcp_hardening.conf 2019-05-06 11:45:53 -04:00			`net.ipv4.tcp_rfc1337=1`

copyright / comments 2019-10-07 01:30:56 -04:00			`## Disables ICMP redirect acceptance.`
Create tcp_hardening.conf 2019-05-06 11:45:53 -04:00			`net.ipv4.conf.all.accept_redirects=0`
			`net.ipv4.conf.default.accept_redirects=0`
			`net.ipv4.conf.all.secure_redirects=0`
			`net.ipv4.conf.default.secure_redirects=0`
			`net.ipv6.conf.all.accept_redirects=0`
			`net.ipv6.conf.default.accept_redirects=0`

copyright / comments 2019-10-07 01:30:56 -04:00			`## Disables ICMP redirect sending.`
Create tcp_hardening.conf 2019-05-06 11:45:53 -04:00			`net.ipv4.conf.all.send_redirects=0`
			`net.ipv4.conf.default.send_redirects=0`

copyright / comments 2019-10-07 01:30:56 -04:00			`## Ignores ICMP requests.`
Create tcp_hardening.conf 2019-05-06 11:45:53 -04:00			`net.ipv4.icmp_echo_ignore_all=1`
Update tcp_hardening.conf 2019-06-27 14:17:58 -04:00
copyright / comments 2019-10-07 01:30:56 -04:00			`## Enables TCP syncookies.`
Update tcp_hardening.conf 2019-06-27 14:17:58 -04:00			`net.ipv4.tcp_syncookies=1`

copyright / comments 2019-10-07 01:30:56 -04:00			`## Disable source routing.`
Update tcp_hardening.conf 2019-06-27 14:17:58 -04:00			`net.ipv4.conf.all.accept_source_route=0`
			`net.ipv4.conf.default.accept_source_route=0`
copyright / comments 2019-10-07 01:30:56 -04:00
Enable reverse path filtering 2019-12-05 15:13:10 -05:00			`## Enable reverse path filtering to prevent IP spoofing and`
			`## mitigate vulnerabilities such as CVE-2019-14899.`
comment 2019-12-05 15:52:24 -05:00			`## https://forums.whonix.org/t/enable-reverse-path-filtering/8594`
Enable reverse path filtering 2019-12-05 15:13:10 -05:00			`net.ipv4.conf.default.rp_filter=1`
			`net.ipv4.conf.all.rp_filter=1`

copyright / comments 2019-10-07 01:30:56 -04:00			`#### meta end`