#!/bin/bash # System and Network Kernel Hardening Rules by CCNA HUB - Imad Daou # For more information: https://www.ccnahub.com/linux-courses/ # The following Kernel Hardening Rules recommended for Single Web Hosting VPS. ### Rules ON/OFF Switch Values ### # 0 (zero) -> Rule Disabled / OFF # 1 (one) -> Rule Enabled / ON # X (number)-> Rule Value ### System Control Command ### SYSCTL="/sbin/sysctl" MODPROBE="/sbin/modprobe" #----------------------------------------------------------------------- ## ## System Hardening Rules ## # Sets the maximum number of bytes in a single message queue. The default is 16384. $SYSCTL kernel.msgmnb=65535 # Sets the maximum size of any message sent from one process to another and is set to # 8192 bytes by default. Be careful when raising this value, as queued messages between # processes are stored in non-swappable kernel memory. Any increase in msgmax would increase # RAM requirements for the system. $SYSCTL kernel.msgmax=65535 #Disable core dumps for set-uid programs. # #This value can be used to query and set the core dump mode for setuid #or otherwise protected/tainted binaries. The modes are: # # -> 0 (default) - traditional behaviour. Any process which has changed # privilege levels or is execute only will not be dumped # -> 1 (debug) - all processes dump core when possible. The core dump is # owned by the current user and no security is applied. This is # intended for system debugging situations only. # -> 2 (suidsafe) - any binary which normally not be dumped is dumped # readable by root only. This allows the end user to remove # such a dump but not access it directly. For security reasons # core dumps in this mode will not overwrite one another or # other files. This mode is appropriate when administrators are # attempting to debug problems in a normal environment. $SYSCTL fs.suid_dumpable=0 # Prevent buffer overflow attacks using "Address Space Layout Randomization". # # Prevents codes being executed in non-executable memory. # ASLR can locate the base, libraries, heap, and stack at random # positions in a process's address space, which makes it difficult # for an attacking program to predict the memory address of the next instruction. # # The randomize_va_space parameter can take the following values: # -> 0 Disable ASLR. # -> 1 Randomize the positions of the stack, virtual dynamic shared object (VDSO) page, and shared memory regions. # The base address of the data segment is located immediately after the end of the executable code segment. # -> 2 Randomize the positions of the stack, VDSO page, shared memory regions, and the data segment. $SYSCTL kernel.randomize_va_space=2 # Hide exposed kernel pointers. # he Linux kernel contains a feature which enables it to filter # out such addresses in order to avoid leaking them to a potential attacker. $SYSCTL kernel.kptr_restrict=1 #----------------------------------------------------------------------- ## ## Network Hardening Rules ## # Disable Globally Ping Response from Public or Private Networks. # Pinging allowed by default, flip 0 to 1 to disable Pining. $SYSCTL net.ipv4.icmp_echo_ignore_all=0 # Drop all NEW packets with anything but the SYN flag set # Load Required Modules: $MODPROBE ip_tables $MODPROBE ip_conntrack $MODPROBE ip_conntrack_ftp $MODPROBE ip_conntrack_irc $MODPROBE nf_conntrack_irc $MODPROBE nf_conntrack_ftp $MODPROBE nf_conntrack_ipv4 $MODPROBE nf_defrag_ipv4 $MODPROBE nf_conntrack_ipv4 $MODPROBE nf_conntrack $SYSCTL net.ipv4.netfilter.ip_conntrack_tcp_loose=0 $SYSCTL net.netfilter.nf_conntrack_tcp_loose=0 #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) $SYSCTL net.ipv4.tcp_syncookies=1 $SYSCTL net.ipv4.tcp_syn_retries=2 $SYSCTL net.ipv4.tcp_synack_retries=2 $SYSCTL net.ipv4.tcp_max_syn_backlog=4096 # Disables packet forwarding. That's not a Router. $SYSCTL net.ipv4.ip_forward=0 $SYSCTL net.ipv4.conf.all.forwarding=0 $SYSCTL net.ipv4.conf.default.forwarding=0 $SYSCTL net.ipv6.conf.all.forwarding=0 $SYSCTL net.ipv6.conf.default.forwarding=0 # Don't accept source routed packets. Attackers can use source routing to generate # traffic pretending to be from inside your network, but which is routed back along # the path from which it came, namely outside, so attackers can compromise your # network. Source routing is rarely used for legitimate purposes. $SYSCTL net.ipv4.conf.all.send_redirects=0 $SYSCTL net.ipv4.conf.default.send_redirects=0 $SYSCTL net.ipv4.conf.all.accept_source_route=0 $SYSCTL net.ipv4.conf.default.accept_source_route=0 $SYSCTL net.ipv6.conf.all.accept_source_route=0 $SYSCTL net.ipv6.conf.default.accept_source_route=0 # Disable ICMP redirect acceptance. # ICMP redirects can be used to alter your routing tables, possibly to a bad end. $SYSCTL net.ipv4.conf.all.accept_redirects=0 $SYSCTL net.ipv4.conf.default.accept_redirects=0 $SYSCTL net.ipv4.conf.all.secure_redirects=0 $SYSCTL net.ipv4.conf.default.secure_redirects=0 $SYSCTL net.ipv6.conf.all.accept_redirects=0 $SYSCTL net.ipv6.conf.default.accept_redirects=0 # Log Martians. Logs packets with impossible addresses to kernel log. # Turn on and log spoofed, source routed, and redirect packets. $SYSCTL net.ipv4.conf.all.log_martians=1 $SYSCTL net.ipv4.conf.default.log_martians=1 # Lower the default time value for tcp_fin_timeout connection. $SYSCTL net.ipv4.tcp_fin_timeout=7 # Lower the default time value of keepalive. $SYSCTL net.ipv4.tcp_keepalive_time=300 $SYSCTL net.ipv4.tcp_keepalive_probes=5 $SYSCTL net.ipv4.tcp_keepalive_intvl=15 # Disable bootp relay. $SYSCTL net.ipv4.conf.all.bootp_relay=0 # Disable ARP proxy. $SYSCTL net.ipv4.conf.all.proxy_arp=0 # Enable tcp_timestamps. # Make TCP congestions control algorithms work better. $SYSCTL net.ipv4.tcp_timestamps=1 # Disable response to broadcasts. # You don't want your VPS to become Smurf Attack Amplifier. $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1 # Enable bad error messages filtering $SYSCTL net.ipv4.icmp_ignore_bogus_error_responses=1 # Enable RFC1337 fix - time-wait assassination hazards in TCP. $SYSCTL net.ipv4.tcp_rfc1337=1 # Enable IP Spoofing protection. $SYSCTL net.ipv4.conf.all.rp_filter=1 $SYSCTL net.ipv4.conf.default.rp_filter=1 $SYSCTL net.ipv4.conf.lo.rp_filter=1 # The following Rule assumes you use "eth0" as your main interface card. $SYSCTL net.ipv4.conf.eth0.rp_filter=1 # Enable the following rule if you use private network at "eth1" interface. #$SYSCTL net.ipv4.conf.eth1.rp_filter=1 # # Uncomment the following 3 lines to enable IP Spoofing protection across all installed interface cards. #for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do # /bin/echo "1" > ${interface} #done # # Note: The upper echo command rule alter rp_filter's vale across all installed interface cards. ## ## IPv6 Specific ## # This is host and not router. $SYSCTL net.ipv6.conf.default.router_solicitations=0 # Accept Router Preference in RA? NO $SYSCTL net.ipv6.conf.default.accept_ra_rtr_pref=0 # Learn Prefix Information in Router Advertisement. $SYSCTL net.ipv6.conf.default.accept_ra_pinfo=0 # Setting controls whether the system will accept Hop Limit settings from a router advertisement. $SYSCTL net.ipv6.conf.default.accept_ra_defrtr=0 # Router advertisements can cause the system to assign a global unicast address to an interface. $SYSCTL net.ipv6.conf.default.autoconf=0 # No neighbour solicitations to send out per address. $SYSCTL net.ipv6.conf.default.dad_transmits=0 # Global unicast IPv6 addresses can be assigned to each interface - Only 1. $SYSCTL net.ipv6.conf.default.max_addresses=1 # Don't accept IPv6 advertisements when forwarding is enabled $SYSCTL net.ipv6.conf.all.autoconf=0 $SYSCTL net.ipv6.conf.all.accept_ra=0 $SYSCTL net.ipv6.conf.default.accept_ra=0 #----------------------------------------------------------------------- ## ## Apply Sysctl Rules ## $SYSCTL -p #-----------------------------------------------------------------------