Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 11:46:23 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge 5ac02d2d52 into 2089b3a9b8

Browse source
This commit is contained in:
raja-grewal 2025-11-24 14:30:49 -05:00 committed by GitHub
commit a0d4e868fa
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 13 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -132,6 +132,9 @@ configuration file and significant hardening is applied to a myriad of component
- Disable TCP timestamps as they can allow detecting the system time.
- Disable reuse of `TIME_WAIT` sockets for new outgoing connections as the above
setting disables TCP timestamps.
- Optional - Log packets with impossible source or destination addresses to
enable further inspection and analysis.

10
usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
View file

@ -565,6 +565,16 @@ net.ipv6.conf.*.accept_ra=0
##
net.ipv4.tcp_timestamps=0
## Disable reuse of TIME_WAIT sockets for new outgoing connections.
## The safety of reusing of TIME_WAIT sockets requires enabling TCP timestamps.
## The kernel uses timestamps to verify a new connection is not a duplicate segment from an older connection.
## Hence TIME-WAIT sockets should wait the full timeout period before being made available again.
## Can lead to port exhaustion on high-traffic networks with numerous short-lived connections.
##
## https://vincent.bernat.ch/en/blog/2014-tcp-time-wait-state-linux
##
net.ipv4.tcp_tw_reuse=0
## Enable logging of packets with impossible source or destination addresses.
## Martian and unroutable packets may be used for malicious purposes.
## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets.