Jan De Landtsheer
ed98e24503
- Change from colon to space separation to avoid URL parsing issues - Update sources.conf format: TYPE NAME URL VERSION BUILD_FUNCTION [EXTRA] - Implement awk-based parsing for reliable field extraction - Fix firmware package list (remove unavailable linux-firmware-marvell)
41 lines
1.2 KiB
Plaintext
41 lines
1.2 KiB
Plaintext
# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
|
|
net.ipv4.tcp_syncookies = 1
|
|
|
|
# Prevents ip spoofing.
|
|
net.ipv4.conf.default.rp_filter = 1
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
|
|
# Only groups within this id range can use ping.
|
|
net.ipv4.ping_group_range=999 59999
|
|
|
|
# Redirects can potentially be used to maliciously alter hosts
|
|
# routing tables.
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.all.secure_redirects = 1
|
|
net.ipv6.conf.all.accept_redirects = 0
|
|
|
|
# The source routing feature includes some known vulnerabilities.
|
|
net.ipv4.conf.all.accept_source_route = 0
|
|
net.ipv6.conf.all.accept_source_route = 0
|
|
|
|
# See RFC 1337
|
|
net.ipv4.tcp_rfc1337 = 1
|
|
|
|
## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
|
|
net.ipv6.conf.default.use_tempaddr = 2
|
|
net.ipv6.conf.all.use_tempaddr = 2
|
|
|
|
# Restarts computer after 120 seconds after kernel panic
|
|
kernel.panic = 120
|
|
|
|
# Users should not be able to create soft or hard links to files
|
|
# which they do not own. This mitigates several privilege
|
|
# escalation vulnerabilities.
|
|
fs.protected_hardlinks = 1
|
|
fs.protected_symlinks = 1
|
|
|
|
# Disable unprivileged use of the bpf(2) syscall.
|
|
# Allowing unprivileged use of the bpf(2) syscall may allow a
|
|
# malicious user to compromise the machine.
|
|
kernel.unprivileged_bpf_disabled = 1
|