Merge branch 'master' of git:openslx-ng/tm-scripts

1 files changed, 39 insertions, 0 deletions

diff --git a/remote/modules/systemd/data/usr/lib/sysctl.d/50-default.conf b/remote/modules/systemd/data/usr/lib/sysctl.d/50-default.conf
new file mode 100644
index 00000000..6ece04ce
--- /dev/null
+++ b/remote/modules/systemd/data/usr/lib/sysctl.d/50-default.conf
@@ -0,0 +1,39 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# See sysctl.d(5) and core(5) for for details.
+
+# System Request functionality of the kernel (SYNC)
+kernel.sysrq = 1
+
+# Append the PID to the core filename
+kernel.core_uses_pid = 1
+
+# Source route verification
+net.ipv4.conf.all.rp_filter = 1
+# Do not accept source routing
+net.ipv4.conf.all.accept_source_route = 0
+# protection from the SYN flood attack
+net.ipv4.tcp_syncookies = 1
+# timestamps add a little overhead but are recommended for gbit links
+net.ipv4.tcp_timestamps = 1
+# ignore echo broadcast requests to prevent being part of smurf attacks
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+# ignore bogus icmp errors
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+# send redirects (not a router, disable it)
+net.ipv4.conf.all.send_redirects = 0
+# ICMP routing redirects (only secure)
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 1
+
+# Enable hard and soft link protection
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+# A little extra security for local exploits
+kernel.kptr_restrict = 1