blob: 6ece04ce907ba3f4654baa476b41ad46d095e34b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or
# (at your option) any later version.
# See sysctl.d(5) and core(5) for for details.
# System Request functionality of the kernel (SYNC)
kernel.sysrq = 1
# Append the PID to the core filename
kernel.core_uses_pid = 1
# Source route verification
net.ipv4.conf.all.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0
# protection from the SYN flood attack
net.ipv4.tcp_syncookies = 1
# timestamps add a little overhead but are recommended for gbit links
net.ipv4.tcp_timestamps = 1
# ignore echo broadcast requests to prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1
# ignore bogus icmp errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
# send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0
# ICMP routing redirects (only secure)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
# Enable hard and soft link protection
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# A little extra security for local exploits
kernel.kptr_restrict = 1
|
