mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
43 lines
1.2 KiB
Plaintext
43 lines
1.2 KiB
Plaintext
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
#### meta start
|
|
#### project Kicksecure
|
|
#### category networking and security
|
|
#### description
|
|
## TCP/IP stack hardening
|
|
|
|
## Protects against time-wait assassination.
|
|
## It drops RST packets for sockets in the time-wait state.
|
|
net.ipv4.tcp_rfc1337=1
|
|
|
|
## Disables ICMP redirect acceptance.
|
|
net.ipv4.conf.all.accept_redirects=0
|
|
net.ipv4.conf.default.accept_redirects=0
|
|
net.ipv4.conf.all.secure_redirects=0
|
|
net.ipv4.conf.default.secure_redirects=0
|
|
net.ipv6.conf.all.accept_redirects=0
|
|
net.ipv6.conf.default.accept_redirects=0
|
|
|
|
## Disables ICMP redirect sending.
|
|
net.ipv4.conf.all.send_redirects=0
|
|
net.ipv4.conf.default.send_redirects=0
|
|
|
|
## Ignores ICMP requests.
|
|
net.ipv4.icmp_echo_ignore_all=1
|
|
|
|
## Enables TCP syncookies.
|
|
net.ipv4.tcp_syncookies=1
|
|
|
|
## Disable source routing.
|
|
net.ipv4.conf.all.accept_source_route=0
|
|
net.ipv4.conf.default.accept_source_route=0
|
|
|
|
## Enable reverse path filtering to prevent IP spoofing and
|
|
## mitigate vulnerabilities such as CVE-2019-14899.
|
|
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
|
|
net.ipv4.conf.default.rp_filter=1
|
|
net.ipv4.conf.all.rp_filter=1
|
|
|
|
#### meta end
|