diff --git a/README.md b/README.md index 811071b..067ac89 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ This repository hosts my hardened version of `sysctl.conf`. This configuration f **Please review the configuration file carefully before applying it.** You are responsible for actions done to your own system. If you need some guidance understanding what each of the settings are for, [sysctl-explorer](https://sysctl-explorer.net/) might come in handy. -Please be careful that this `sysctl.conf` is **designed for endpoint hosts that do not act as a router**. If you would like to use this configuration file on a router, please go over the configuration file and make necessary changes. +Please be careful that this `sysctl.conf` is **designed for 64-bit endpoint hosts that do not act as a router**. If you would like to use this configuration file on a router, please go over the configuration file and make necessary changes. ## Usages @@ -24,20 +24,24 @@ Please be careful that this `sysctl.conf` is **designed for endpoint hosts that 1. Run command `sudo sysctl -p` or reboot the system to apply the changes ```shell -# clone the repository -git clone https://github.com/k4yt3x/sysctl.git ~/sysctl +# download the configuration file from GitHub using curl +curl https://raw.githubusercontent.com/k4yt3x/sysctl/master/sysctl.conf -o ~/sysctl.conf + +# you may also download with wget or other methods if curl is not available +wget https://raw.githubusercontent.com/k4yt3x/sysctl/master/sysctl.conf -O ~/sysctl.conf # backup the original sysctl.conf sudo cp /etc/sysctl.conf /etc/sysctl.conf.backup # replace the old sysctl.conf with the new one -sudo cp ~/sysctl/sysctl.conf /etc/sysctl.conf +sudo mv ~/sysctl.conf /etc/sysctl.conf -# apply changes -sudo sysctl -p +# make sure the file has the correct ownership and permissions +sudo chown root:root /etc/sysctl.conf +sudo chmod 644 /etc/sysctl.conf -# remove the downloaded repository if you don't need it anymore -rm -rf ~/sysctl +# instruct sysctl to load settings from the configuration file into the live kernel +sudo sysctl -p ``` For convenience, I have pointed the URL `https://akas.io/sysctl` to the `sysctl.conf` file. You may therefore download the `sysctl.conf` file with the following command. However, be sure to check the integrity of the file after downloading it if you choose to download using this method. @@ -45,258 +49,3 @@ For convenience, I have pointed the URL `https://akas.io/sysctl` to the `sysctl. ```shell curl -sSL akas.io/sysctl -o sysctl.conf ``` - -## `sysctl.conf` Content - -```properties -# Name: K4YT3X Hardened sysctl Configuration -# Author: K4YT3X -# Contributors: IceCodeNew -# Date Created: October 5, 2020 -# Last Updated: October 7, 2020 - -# Licensed under the GNU General Public License Version 3 (GNU GPL v3), -# available at: https://www.gnu.org/licenses/gpl-3.0.txt -# (C) 2020 K4YT3X - -# Multiple sources have been consulted while writing this configuration -# file (e.g., nixCraft's sysctl.conf). Sources are not cited since this -# is not an academic document. Please refer to Linux documentations -# should you have any questions. - -########## Kernel ########## - -# enable ExecShield protection -# 2 enables ExecShield by default unless applications bits are set to disabled -# uncomment on systems without NX/XD protections -# check with: dmesg | grep --color '[NX|DX]*protection' -#kernel.exec-shield = 2 - -# enable ASLR -# turn on protection and randomize stack, vdso page and mmap + randomize brk base address -kernel.randomize_va_space = 2 - -# controls the System Request debugging functionality of the kernel -kernel.sysrq = 0 - -# controls whether core dumps will append the PID to the core filename -# useful for debugging multi-threaded applications -kernel.core_uses_pid = 1 - -# restrict access to kernel address -# kernel pointers printed using %pK will be replaced with 0’s regardless of privileges -kernel.kptr_restrict = 2 - -# Ptrace protection using Yama -# - 1: only a parent process can be debugged -# - 2: only admins canuse ptrace (CAP_SYS_PTRACE capability required) -# - 3: disables ptrace completely, reboot is required to re-enable ptrace -kernel.yama.ptrace_scope = 3 - -# restrict kernel logs to root only -kernel.dmesg_restrict = 1 - -# restrict BPF JIT compiler to root only -kernel.unprivileged_bpf_disabled = 1 - -# disables kexec as it can be used to livepatch the running kernel -kernel.kexec_load_disabled = 1 - -# disable unprivileged user namespaces to decrease attack surface -kernel.unprivileged_userns_clone = 0 - -# allow for more PIDs -# this value can be up to: -# - 32768 (2^15) on a 32-bit system -# - 4194304 (2^22) on a 64-bit system -kernel.pid_max = 4194304 - -# reboot machine after kernel panic -#kernel.panic = 10 - -########## File System ########## - -# disallow core dumping by SUID/SGID programs -fs.suid_dumpable = 0 - -# protect the creation of hard links -# one of the following conditions must be fulfilled -# - the user can only link to files that he or she owns -# - the user must first have read and write access to a file, that he/she wants to link to -fs.protected_hardlinks = 1 - -# protect the creation of symbolic links -# one of the following conditions must be fulfilled -# - the process following the symbolic link is the owner of the symbolic link -# - the owner of the directory is also the owner of the symbolic link -fs.protected_symlinks = 1 - -# enable extended FIFO protection -fs.protected_fifos = 2 - -# similar to protected_fifos, but it avoids writes to an attacker-controlled regular file -fs.protected_regular = 2 - -# increase system file descriptor limit -# this value can be up to: -# - 2147483647 (0x7fffffff) on a 32-bit system -# - 9223372036854775807 (0x7fffffffffffffff) on a 64-bit system -# be aware that the Linux kernel documentation suggests that inode-max should be 3-4 times -# larger than this value -fs.file-max = 9223372036854775807 - -########## Virtualization ########## - -# improve mmap ASLR effectness -vm.mmap_rnd_bits=32 -vm.mmap_rnd_compat_bits=16 - -########## Networking ########## - -# increase the maximum length of processor input queues -net.core.netdev_max_backlog = 250000 - -# enable BPF JIT hardening for all users -# this trades off performance, but can mitigate JIT spraying -net.core.bpf_jit_harden = 2 - -# increase TCP max buffer size setable using setsockopt() -#net.core.rmem_max = 8388608 -#net.core.wmem_max = 8388608 -#net.core.rmem_default = 8388608 -#net.core.wmem_default = 8388608 -#net.core.optmem_max = 8388608 - -########## IPv4 Networking ########## - -# enable BBR congestion control -net.ipv4.tcp_congestion_control = bbr - -# disallow IPv4 packet forwarding -net.ipv4.ip_forward = 0 - -# enable SYN cookies for SYN flooding protection -net.ipv4.tcp_syncookies = 1 - -# number of times SYNACKs for a passive TCP connection attempt will be retransmitted -net.ipv4.tcp_synack_retries = 5 - -# do not send redirects -net.ipv4.conf.default.send_redirects = 0 -net.ipv4.conf.all.send_redirects = 0 - -# do not accept packets with SRR option -net.ipv4.conf.default.accept_source_route = 0 -net.ipv4.conf.all.accept_source_route = 0 - -# enable reverse path source validation -# refer to RFC1812 -net.ipv4.conf.default.rp_filter = 1 -net.ipv4.conf.all.rp_filter = 1 - -# log packets with impossible addresses to kernel log -net.ipv4.conf.default.log_martians = 1 -net.ipv4.conf.all.log_martians = 1 - -# do not accept ICMP redirect messages -net.ipv4.conf.default.accept_redirects = 0 -net.ipv4.conf.default.secure_redirects = 0 -net.ipv4.conf.all.accept_redirects = 0 -net.ipv4.conf.all.secure_redirects = 0 - -# disable sending and receiving of shared media redirects -# this setting overwrites net.ipv4.conf.all.secure_redirects -# refer to RFC1620 -net.ipv4.conf.default.shared_media = 0 -net.ipv4.conf.all.shared_media = 0 - -# always use the best local address for announcing local IP via ARP -net.ipv4.conf.default.arp_announce = 2 -net.ipv4.conf.all.arp_announce = 2 - -# reply only if the target IP address is local address configured on the incoming interface -net.ipv4.conf.default.arp_ignore = 1 -net.ipv4.conf.all.arp_ignore = 1 - -# drop Gratuitous ARP frames to prevent ARP poisoning -# this can cause issues when ARP proxies are used in the network -net.ipv4.conf.default.drop_gratuitous_arp = 1 -net.ipv4.conf.all.drop_gratuitous_arp = 1 - -# ignore all ICMP echo requests -#net.ipv4.icmp_echo_ignore_all = 1 - -# ignore all ICMP echo and timestamp requests sent to broadcast/multicast -net.ipv4.icmp_echo_ignore_broadcasts = 1 - -# ignore bad ICMP errors -net.ipv4.icmp_ignore_bogus_error_responses = 1 - -# mitigate TIME-WAIT Assassination hazards in TCP -# refer to RFC1337 -net.ipv4.tcp_rfc1337 = 1 - -# disable TCP window scaling -# this makes the host less susceptible to TCP RST DoS attacks -net.ipv4.tcp_window_scaling = 0 - -# increase system IP port limits -net.ipv4.ip_local_port_range = 1024 65535 - -# disable TCP timestamps for better CPU utilization -net.ipv4.tcp_timestamps = 0 - -# enabling SACK can increase the throughput -# but SACK is commonly exploited and rarely used -net.ipv4.tcp_sack = 0 - -# divide socket buffer evenly between TCP window size and application -net.ipv4.tcp_adv_win_scale = 1 - -# increase memory thresholds to prevent packet dropping -#net.ipv4.tcp_rmem = 4096 87380 8388608 -#net.ipv4.tcp_wmem = 4096 87380 8388608 - -########## IPv6 Networking ########## - -# disallow IPv6 packet forwarding -net.ipv6.conf.default.forwarding = 0 -net.ipv6.conf.all.forwarding = 0 - -# number of Router Solicitations to send until assuming no routers are present -net.ipv6.conf.default.router_solicitations = 0 -net.ipv6.conf.all.router_solicitations = 0 - -# do not accept Router Preference from RA -net.ipv6.conf.default.accept_ra_rtr_pref = 0 -net.ipv6.conf.all.accept_ra_rtr_pref = 0 - -# learn prefix information in router advertisement -net.ipv6.conf.default.accept_ra_pinfo = 0 -net.ipv6.conf.all.accept_ra_pinfo = 0 - -# setting controls whether the system will accept Hop Limit settings from a router advertisement -net.ipv6.conf.default.accept_ra_defrtr = 0 -net.ipv6.conf.all.accept_ra_defrtr = 0 - -# router advertisements can cause the system to assign a global unicast address to an interface -net.ipv6.conf.default.autoconf = 0 -net.ipv6.conf.all.autoconf = 0 - -# number of neighbor solicitations to send out per address -net.ipv6.conf.default.dad_transmits = 0 -net.ipv6.conf.all.dad_transmits = 0 - -# number of global unicast IPv6 addresses can be assigned to each interface -net.ipv6.conf.default.max_addresses = 1 -net.ipv6.conf.all.max_addresses = 1 - -# enable IPv6 Privacy Extensions (RFC3041) and prefer the temporary address -net.ipv6.conf.default.use_tempaddr = 2 -net.ipv6.conf.all.use_tempaddr = 2 - -# ignore all ICMPv6 echo requests -#net.ipv6.icmp.echo_ignore_all = 1 -#net.ipv6.icmp.echo_ignore_anycast = 1 -#net.ipv6.icmp.echo_ignore_multicast = 1 -```