Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-12-17 13:23:59 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'raja/stop_tw_reuse' into arraybolt3/trixie

Browse source
This commit is contained in:
Aaron Rainbolt 2025-11-28 14:21:59 -06:00
commit 84e193c44e
No known key found for this signature in database
GPG key ID: A709160D73C79109
2 changed files with 13 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
View file

@ -586,6 +586,16 @@ net.ipv6.conf.*.accept_ra=0
##
net.ipv4.tcp_timestamps=0
## Disable reuse of TIME_WAIT sockets for new outgoing connections.
## The safety of reusing of TIME_WAIT sockets requires enabling TCP timestamps.
## The kernel uses timestamps to verify a new connection is not a duplicate segment from an older connection.
## Hence TIME-WAIT sockets should wait the full timeout period before being made available again.
## Can lead to port exhaustion on high-traffic networks with numerous short-lived connections.
##
## https://vincent.bernat.ch/en/blog/2014-tcp-time-wait-state-linux
##
net.ipv4.tcp_tw_reuse=0
## Enable logging of packets with impossible source or destination addresses.
## Martian and unroutable packets may be used for malicious purposes.
## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets.