Basic TCP/IP sysctl hardening

Linux
#### ipv4 networking and equivalent ipv6 parameters ####
## TCP SYN cookie protection (default)
## helps protect against SYN flood attacks
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies : 1

## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 : 1

## sets the kernels reverse path filtering mechanism to value 1 (on)
## will do source validation of the packet's recieved from all the interfaces on the machine
## protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.default.rp_filter : 1
net.ipv4.conf.all.rp_filter : 1

## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps : 0
#net.ipv4.tcp_timestamps : 1

## log martian packets
net.ipv4.conf.default.log_martians : 1
net.ipv4.conf.all.log_martians : 1

## ignore echo broadcast requests to prevent being part of smurf attacks (default)
net.ipv4.icmp_echo_ignore_broadcasts : 1

## ignore bogus icmp errors (default)
net.ipv4.icmp_ignore_bogus_error_responses : 1

## send redirects (not a router, disable it)
net.ipv4.conf.default.send_redirects : 0
net.ipv4.conf.all.send_redirects : 0

## ICMP routing redirects (only secure)
#net.ipv4.conf.default.secure_redirects : 1 (default)
#net.ipv4.conf.all.secure_redirects : 1 (default)
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0

From https: //wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening

© 2024 Code0x378