blob: 3a43da92786b7ea7443d66688715a2cea16a9db9 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
# Dev concessions (intentionally not hardened):
# kernel.sysrq=1 — emergency reboot from a frozen Sway session.
# kernel.dmesg_restrict=0 — read dmesg as user during driver/kernel debug.
# kernel.perf_event_paranoid=-1 — `perf record` on own user-space binaries
# without sudo. Kernel-space tracepoints still need root.
# kernel.yama.ptrace_scope is left at the kernel default (1, parent-only),
# which keeps `gdb ./a.out`, `lldb -- ./bin`, `rust-gdb target/...` working;
# attach-by-PID (`gdb -p`) requires sudo.
kernel.sysrq = 1
kernel.dmesg_restrict = 0
kernel.perf_event_paranoid = -1
net.core.netdev_max_backlog = 16384
net.core.somaxconn = 8192
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 10
net.ipv4.tcp_keepalive_probes = 6
net.ipv4.tcp_mtu_probing = 1
net.core.default_qdisc = cake
net.ipv4.tcp_congestion_control = bbr
vm.vfs_cache_pressure = 50
# Network hardening
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
# Info-disclosure / kernel-surface hardening
# Hide kernel pointers from /proc and dmesg even with read access.
kernel.kptr_restrict = 2
# Block unprivileged eBPF program loading (bpftrace as non-root, etc.).
# We don't run BPF programs against the system kernel; own user-space
# profiling via `perf` is unaffected.
kernel.unprivileged_bpf_disabled = 1
# Harden the BPF JIT against spectre-style speculative leaks.
net.core.bpf_jit_harden = 2
# We never use kexec; disabling permanently closes a rootkit persistence
# vector. Cannot be re-enabled until reboot once set.
kernel.kexec_load_disabled = 1
# SUID processes cannot produce core dumps (prevents leaking secrets).
fs.suid_dumpable = 0
# ICMP / TCP hygiene
# Reaffirm syncookie defence (default on, explicit anyway).
net.ipv4.tcp_syncookies = 1
# Drop broadcast pings and bogus ICMP errors (smurf-style amplification).
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Disable TCP timestamps — minor uptime/fingerprint info leak; modern
# congestion control (BBR + cake) does not depend on RFC1323 timestamps.
net.ipv4.tcp_timestamps = 0
# IPv6 router advertisements are handled by systemd-networkd; ignore RA
# at the kernel layer in case networkd is bypassed or an attacker forges
# rogue RAs on a hostile network.
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
|
