• Stars
    star
    191
  • Rank 202,877 (Top 4 %)
  • Language
  • License
    GNU General Publi...
  • Created about 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

K4YT3X's Hardened sysctl Configuration

K4YT3X's Hardened sysctl Configuration

This repository hosts my hardened version of sysctl.conf. This configuration file aims to provide better security for Linux systems and improves system performance whenever possible. For example, below are some of the features this configuration file provides.

  • Prevents kernel pointers from being read
  • Disables Ptrace for all programs
  • Disallows core dumping by SUID/GUID programs
  • Disables IPv4/IPv6 routing
  • Enables BBR TCP congestion control
  • Enables SYN cookies to mitigate SYN flooding attacks
  • Enables IP reverse path filtering for source validation
  • ...

Please review the configuration file carefully before applying it. You are responsible for actions done to your system. If you need some guidance understanding what each of the settings is for, sysctl-explorer might come in handy. You may also consult Linux's kernel documentation.

Assumptions

This configuration file is written with a few assumptions about your OS. You can still use this configuration as a template if your OS does not match these assumptions (e.g., set net.ipv4.ip_forward to 1 on a router). Making these assumptions helps us to develop a configuration file with the most number of optimizations enabled for common systems.

  • Security is valued over performance and convenience
  • The OS does not act as a router
  • The OS is running on a 64-bit system
  • The OS is on a network that is relatively stable (e.g., wired vs. LTE)
  • No debugging features are required (e.g., no need for GDB/kdump)
  • ICMP echo messages are not regarded as harmful

Configuration Deployment

Linux kernel configuration files are stored in the directory /etc/sysctl.d. Configurations in all files having a suffix of .conf will read by the procps (a.k.a. systemd-sysctl) service. Additionally, the procps service also loads configurations from the following directories.

  • /run/sysctl.d
  • /usr/local/lib/sysctl.d
  • /usr/lib/sysctl.d
  • /lib/sysctl.d

Files are sorted and read by their file names in lexicographic order. Variables read later will overwrite variables read earlier. For example, configurations in 20-something.conf will be read before 99-sysctl.conf. If a variable exists in both files, values read from 20-something.conf will be overwritten by values read from 99-sysctl.conf.

# in 20-something.conf
net.ipv4.ip_forward = 0

# in 99-sysctl.conf
net.ipv4.ip_forward = 1

# net.ipv4.ip_forward will be 1

Method 1: Deploy Definitively

By default, on most Linux distributions, the /etc/sysctl.d/99-sysctl.conf file is a link to the /etc/sysctl.conf file. Therefore, you may write the variables into the /etc/sysctl.conf. However, since configuration files with a file name that starts with an alphabetical character sort later in the list than 99-sysctl.conf, the changes you make in the /etc/sysctl.conf might not be the final value loaded into the kernel. To make sure that your changes are loaded into the kernel, you would have to make sure that your configuration file's name is lexicographically the last file in /etc/sysctl.d. The filename z-k4yt3x.conf will be used as an example in the code snippet below.

This deployment method is suitable for systems that do not expect to have their sysctl configurations updated from this repository anymore. Otherwise, the configuration file's content has to be updated every time a new update form this repository is installed.

# download the configuration file from GitHub using curl
curl https://raw.githubusercontent.com/k4yt3x/sysctl/master/sysctl.conf -o ~/sysctl.conf

# you may also download with wget or other methods if curl is not available
wget https://raw.githubusercontent.com/k4yt3x/sysctl/master/sysctl.conf -O ~/sysctl.conf

# move the configuration file into the sysctl configuration directory
sudo mv ~/sysctl.conf /etc/sysctl.d/z-k4yt3x.conf

# make sure the file has correct ownership and permissions
sudo chown root:root /etc/sysctl.d/z-k4yt3x.conf
sudo chmod 644 /etc/sysctl.d/z-k4yt3x.conf

Method 2: Deploy as Template

Alternatively, you can use this configuration file as a template. If you name the configuration file something akin to /etc/sysctl.d/98-k4yt3x.conf, you may overwrite values in this configuration file by giving them a new definition the /etc/sysctl.conf file.

The advantage of doing this is that you would not have to change this template file's content every time it is updated in this repository. You can drop the template file in and make any modifications in /etc/sysctl.conf.

This method's disadvantage is that values from this template might be overwritten by values in other configurations unknowingly. For example, a uhd-usrp2.conf exists on my system, and overwrites the value of net.core.rmem_max and net.core.wmem_max set in previous configuration files. Packages managers can install new configurations as you install a new package or update your system. Therefore, you will have to be careful that other files do not overwrite your variables.

# download the configuration file from GitHub using curl
curl https://raw.githubusercontent.com/k4yt3x/sysctl/master/sysctl.conf -o ~/sysctl.conf

# you may also download with wget or other methods if curl is not available
wget https://raw.githubusercontent.com/k4yt3x/sysctl/master/sysctl.conf -O ~/sysctl.conf

# move the configuration file into the sysctl configuration directory
sudo mv ~/sysctl.conf /etc/sysctl.d/98-k4yt3x.conf

# make sure the file has correct ownership and permissions
sudo chown root:root /etc/sysctl.d/98-k4yt3x.conf
sudo chmod 644 /etc/sysctl.d/98-k4yt3x.conf

Method 3: Custom Order (Personal Recommendation)

To ensure that the configuration files are read in an order you prefer, you may also rename the files to your preference. For example, you can install this template to /etc/sysctl.d/y-k4yt3x.conf, then make a symbolic link from /etc/sysctl.d/z-sysctl.conf to /etc/sysctl.conf. This ensures that the two files are more likely to be read the last.

# download the configuration file from GitHub using curl
curl https://raw.githubusercontent.com/k4yt3x/sysctl/master/sysctl.conf -o ~/sysctl.conf

# you may also download with wget or other methods if curl is not available
wget https://raw.githubusercontent.com/k4yt3x/sysctl/master/sysctl.conf -O ~/sysctl.conf

# move the configuration file into the sysctl configuration directory
sudo mv ~/sysctl.conf /etc/sysctl.d/y-k4yt3x.conf

# make sure the file has correct ownership and permissions
sudo chown root:root /etc/sysctl.d/y-k4yt3x.conf
sudo chmod 644 /etc/sysctl.d/y-k4yt3x.conf

# point z-sysctl.conf to /etc/sysctl.conf
sudo ln -s /etc/sysctl.conf /etc/sysctl.d/z-sysctl.conf

Loading and Verifying the Changes

For the changes to be effective, you will have to either reboot your machine or reload the configurations using one of the following commands.

# instruct sysctl to load settings from the configuration file into the live kernel
# this command allows you to see the variables as they are being loaded
sudo sysctl --system

# alternatively, you can restart the systemd-sysctl service on a system that uses systemd
sudo systemctl restart systemd-sysctl

# procps is an alias of systemd-sysctl
# restarting either one of procps and systemd-sysctl would work
sudo systemctl restart procps

Afterwards, you may verify your changes by dumping all kernel variables. Replace your.config in the following command with the name of the variable you would like to check.

sudo sysctl -a | grep "your.config"

For example, the following command prints the value of kernel.kptr_restrict.

$ sudo sysctl -a | grep "kernel.kptr_restrict"
kernel.kptr_restrict = 2

Short URL for Downloading sysctl.conf

For convenience, I have pointed the URL https://k4t.io/sysctl to the sysctl.conf file. You may therefore download the sysctl.conf file with the following command. However, be sure to check the file's integrity after downloading it if you choose to download using this method.

curl -L k4t.io/sysctl -o sysctl.conf

More Repositories

1

video2x

A lossless video/GIF/image upscaler achieved with waifu2x, Anime4K, SRMD and RealSR. Started in Hack the Valley II, 2018.
Python
9,433
star
2

wg-meshconf

WireGuard full mesh configuration generator.
Python
919
star
3

orbitaldump

A simple multi-threaded distributed SSH brute-forcing tool written in Python
Python
446
star
4

sshd_config

K4YT3X's Hardened OpenSSH Server Configuration
117
star
5

scutum

Linux Automatic ARP (TCP / UDP / ICMP) Firewall
Python
79
star
6

flowerhd

花!是一个高清重制机上些许衍生创作的表情包
76
star
7

konadl

Multithreaded Konachan / Yandere (moebooru based site) Image Bulk Downloader | 多线程K站Y站下载器
Python
64
star
8

defense-matrix

Express security essentials deployment for Linux Servers
Python
58
star
9

warplus

An automatic multi-threaded WARP+ quota acquirement tool written in Python 3
Python
32
star
10

rustyping

A prettier lightweight colored ping utility written in Rust
Rust
29
star
11

konachan-popular-rust

A candidate backend for the Telegram channel @KonachanPopular
Rust
24
star
12

cfddns

systemd-daemonized Cloudflare DDNS service
Python
18
star
13

burpsuite

Make Burp Suite run in containers and even minikube
Dockerfile
16
star
14

iss-pointer

A simple machine that points to the ISS
Python
15
star
15

network-security-checklist

A checklist for defending private or corporate networks.
15
star
16

akasio-go

Akasio is a simple HTTP server that redirects traffic based on a JSON redirect table.
Go
13
star
17

syskey

Motorola system key generation utility
Rust
13
star
18

zero-width-text-scrambler

一个在字符串中随机加入随机数量零宽字符的混淆器。
Python
12
star
19

linum

Linum is yet another Linux enumeration script written in shell script.
Shell
12
star
20

drat

A simple RAT written in Python that communicates with the C&C server over DNS requests.
Python
12
star
21

mute

MUTE (WxKill) is an Python Application that kills wifi signals
Python
11
star
22

infotr

A traceroute tool that also displays IP information
Python
11
star
23

avalon-framework

A framework to print messages and get user input easily in Python 3
Python
11
star
24

ssh_config

K4YT3X's Hardened OpenSSH Client Configuration
9
star
25

ffmpeg-concat

A script to help concatenating video files using FFmpeg.
Python
8
star
26

nftables

K4YT3X's template nftables script.
8
star
27

rnnoise-pulseaudio-control

RNNoise installation and control script for PulseAudio on Linux
Python
6
star
28

pixivdaily-rust

Source code for the Telegram channel @pixiv_daily
Rust
6
star
29

akasio-rust

Akasio is a simple HTTP server that redirects traffic based on a JSON redirect table. This is its Rust implementation.
Rust
5
star
30

phoenix

An exploitation framework written for curious reasons
Python
5
star
31

kpm

KPM lets systems with APT upgrade automatically
Python
5
star
32

wordle-solver

A small script to help me solve Wordle
Python
4
star
33

black-industrial-chain-emulator

BLCE is a game for people who are new or interested in cyber security.
JavaScript
4
star
34

ezsoftether

Python script to manage softether client for linux
Python
4
star
35

shadowagent

A commandline tool for configuring shadowsocks easily on Linux
Python
4
star
36

sds-submaker

Uniden SDS100/SDS200 recording metadata subtitle generator
Python
4
star
37

video2x-qt6

A GUI for Video2X written in Python with Qt 6
Python
4
star
38

pwtgbot

PwnWiki Telegram database searching bot
Python
4
star
39

anyradius

Freeradius MySQL Account Controller
Python
3
star
40

ayu-vim-darker

A darker version of the modern theme for modern VIMs
Vim Script
3
star
41

multihasher

Python
2
star
42

entro

ENTRO is an Active SSH Defense System
Python
2
star
43

mbr-translator

A Python script that translates MBR partition records into human-readable information
Python
2
star
44

avant

AvAnt is light-weight network utility tool with many useful functions and features.
Python
2
star
45

rich-help-formatter

2
star
46

txt2epub

A simple tool for converting TXT books into ePub
Python
2
star
47

esimportndjson

A simple script to help importing NDJSON files into Elasticsearch.
Python
2
star
48

shadowgate

A mechanism that blocks non-authenticated traffic to avoid probing
Python
2
star
49

symchat

A secure, symmetrically encrypted chat app built in Rust.
Rust
2
star
50

easy-mute

Easily switch between muted and unmuted profiles, for pulseaudio
Python
1
star
51

ejabberd-radius-auth

ejabberd RADIUS authentication script
Python
1
star
52

write-memory

Write configurations in Linux kernel to persistent configuration file.
Python
1
star
53

konachan-popular-python

Backend for the Telegram channel @KonachanPopular
Python
1
star
54

trojan-cli

Python
1
star
55

wifi-keygen

A utility that generates a long, complex and secure wifi password.
Python
1
star
56

kardinal

A Linux Server Command & Control Server
Python
1
star
57

rs2

Linux Terminal Extender
Python
1
star
58

simple-http-server

A minimal distroless container image for TheWaWaR/simple-http-server
Dockerfile
1
star
59

russian-roulette

The Russian Roulette game for Linux Users / Server Admins
Python
1
star
60

pixivdaily-python

Legacy source code for the Telegram channel @pixiv_daily
Python
1
star
61

wicd-mac-randomizer

A script to randomize WICD interface MACs
Python
1
star