Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'raja/syntax'

Browse Source
This commit is contained in:
Patrick Schleizer 2024-08-25 10:55:52 -04:00
commit 43d13b70f1
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 12 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -295,13 +295,15 @@ net.ipv4.tcp_rfc1337=1
## Enable reverse path filtering (source validation) of packets received from all interfaces.
## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899.
## The second "default" command fixes a bug in the existing kernel implementation.
##
## https://en.wikipedia.org/wiki/IP_address_spoofing
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
## https://seclists.org/oss-sec/2019/q4/122
## https://github.com/Kicksecure/security-misc/pull/261
##
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.*.rp_filter=1
net.ipv4.conf.default.rp_filter=1
## Disable ICMP redirect acceptance and redirect sending messages.
@ -315,14 +317,10 @@ net.ipv4.conf.default.rp_filter=1
## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
## https://github.com/Kicksecure/security-misc/pull/248
##
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
#net.ipv4.conf.all.secure_redirects=1
#net.ipv4.conf.default.secure_redirects=1
net.ipv4.conf.*.accept_redirects=0
net.ipv4.conf.*.send_redirects=0
net.ipv6.conf.*.accept_redirects=0
#net.ipv4.conf.*.secure_redirects=1
## Ignore ICMP echo requests.
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
@ -342,15 +340,12 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
##
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing
##
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv4.conf.*.accept_source_route=0
net.ipv6.conf.*.accept_source_route=0
## Do not accept IPv6 router advertisements and solicitations.
##
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.*.accept_ra=0
## Disable SACK and DSACK.
## Select acknowledgements (SACKs) are a known common vector of exploitation.
@ -393,8 +388,7 @@ net.ipv4.tcp_timestamps=0
##
## The logging of martian packets is currently disabled.
##
#net.ipv4.conf.all.log_martians=1
#net.ipv4.conf.default.log_martians=1
#net.ipv4.conf.*.log_martians=1
## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses.
## The temporary/privacy address is used as the source for all outgoing traffic.
@ -410,5 +404,4 @@ net.ipv4.tcp_timestamps=0
##
## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
##
#net.ipv6.conf.all.use_tempaddr=2
#net.ipv6.conf.default.use_tempaddr=2
#net.ipv6.conf.*.use_tempaddr=2