132 lines
7.1 KiB
Plaintext
132 lines
7.1 KiB
Plaintext
###########################################################################################
|
|
# Debian Bookworm VPS Hardening Setup Script V4.8.128.2024.07.07 #
|
|
###########################################################################################
|
|
# Copyright (c) 2019 - 2024, Marc Weidner, Centurion Intelligence Consulting Agency #
|
|
# https://coresecret.eu/ #
|
|
# Licensed under the EUROPEAN UNION PUBLIC LICENCE v. 1.2 https://eupl.eu/1.2/en/ #
|
|
###########################################################################################
|
|
# https://keys.openpgp.org/vks/v1/by-fingerprint/A6D46A56AE17A185AB0F6DB77095A8A13CBE0FA3 #
|
|
# Fingerprint A6D4 6A56 AE17 A185 AB0F 6DB7 7095 A8A1 3CBE 0FA3 ## valid till: 01.01.2031 #
|
|
###########################################################################################
|
|
# ! Warning ! #
|
|
# Be careful not to lock yourself out of your system after a restart due to incorrect #
|
|
# settings. For example, 'kernel.modules_disabled=1' will usually prevent the network #
|
|
# stack from being brought up after a reboot, which means NO SSH. #
|
|
###########################################################################################
|
|
|
|
##### Linux Kernel #####
|
|
|
|
# Disable loading new modules. Be careful with using this option !
|
|
kernel.modules_disabled=1
|
|
|
|
# Restricting access to kernel pointers.
|
|
kernel.kptr_restrict=2
|
|
|
|
# Restricting access to kernel logs.
|
|
kernel.dmesg_restrict=1
|
|
|
|
#Despite the value of dmesg_restrict, the kernel log will still be displayed in the console during boot. This option prevents those information leaks.
|
|
kernel.printk=3 3 3 3
|
|
|
|
# Restricting eBPF to the CAP_BPF capability
|
|
kernel.unprivileged_bpf_disabled=1
|
|
net.core.bpf_jit_harden=2
|
|
|
|
# Restricting loading TTY line disciplines to the CAP_SYS_MODULE capability
|
|
dev.tty.ldisc_autoload=0
|
|
|
|
# The userfaultfd() syscall is often abused to exploit use-after-free flaws. This sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.
|
|
vm.unprivileged_userfaultfd=0
|
|
|
|
# kexec is a system call that is used to boot another kernel during runtime. This functionality can be abused to load a malicious kernel and gain arbitrary code execution in kernel mode, so this sysctl disables it.
|
|
kernel.kexec_load_disabled=1
|
|
|
|
# The SysRq key exposes a lot of potentially dangerous debugging functionality to unprivileged users. You can simply set the value to 0 to disable SysRq completely.
|
|
kernel.sysrq=0
|
|
|
|
# Randomise memory space.
|
|
kernel.randomize_va_space=2
|
|
|
|
# These prevent creating files in potentially attacker-controlled environments, such as world-writable directories.
|
|
fs.protected_fifos=2
|
|
fs.protected_regular=2
|
|
|
|
# This only permits symlinks to be followed when outside of a world-writable sticky directory, when the owner of the symlink and follower match or when the directory owner matches the symlink's owner.
|
|
fs.protected_symlinks=1
|
|
fs.protected_hardlinks=1
|
|
|
|
# ptrace is a system call that allows a program to alter and inspect another running process, which allows attackers to trivially modify the memory of other running programs.
|
|
# 0 - classic ptrace permissions:
|
|
# a process can PTRACE_ATTACH to any other process running under the same uid, as long as it is dumpable (i.e. did not transition uids, start privileged, or have called prctl(PR_SET_DUMPABLE...) already). Similarly, PTRACE_TRACEME is unchanged.
|
|
#
|
|
# 1 - restricted ptrace:
|
|
# a process must have a predefined relationship with the inferior it wants to call PTRACE_ATTACH on. By default, this relationship is that of only its descendants when the above classic criteria is also met. To change the relationship, an inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare an allowed debugger PID to call PTRACE_ATTACH on the inferior. Using PTRACE_TRACEME is unchanged.
|
|
#
|
|
# 2 - admin-only attach:
|
|
# only processes with CAP_SYS_PTRACE may use ptrace, either with PTRACE_ATTACH or through children calling PTRACE_TRACEME.
|
|
#
|
|
# 3 - no attach:
|
|
# no processes may use ptrace with PTRACE_ATTACH nor via PTRACE_TRACEME. Once set, this sysctl value cannot be changed.
|
|
kernel.yama.ptrace_scope=2
|
|
|
|
# Use filename based on core_pattern value
|
|
kernel.core_uses_pid=1
|
|
|
|
# Performance events add considerable kernel attack surface and have caused abundant vulnerabilities. Be careful, performance might be affected.
|
|
#kernel.perf_event_paranoid=2
|
|
|
|
# ASLR is a common exploit mitigation which randomises the position of critical parts of a process in memory. This can make a wide variety of exploits harder to pull off, as they first require an information leak. The above settings increase the bits of entropy used for mmap ASLR, improving its effectiveness.
|
|
# The values of these sysctls must be set in relation to the CPU architecture. The above values are compatible with x86, but other architectures may differ.
|
|
vm.mmap_rnd_bits=32
|
|
vm.mmap_rnd_compat_bits=16
|
|
|
|
# Similar to core dumps, swapping or paging copies parts of memory to disk, which can contain sensitive information. The kernel should be configured to only swap if absolutely necessary
|
|
vm.swappiness=1
|
|
|
|
# Process that run with elevated privileges may still dump their memory even after these settings.
|
|
fs.suid_dumpable=0
|
|
kernel.core_pattern=|/bin/false
|
|
|
|
|
|
##### Network Stack #####
|
|
|
|
# Disable IP source routing, we are not a router:
|
|
net.ipv4.conf.all.accept_source_route=0
|
|
net.ipv4.conf.default.accept_source_route=0
|
|
net.ipv6.conf.all.accept_source_route=0
|
|
net.ipv6.conf.default.accept_source_route=0
|
|
|
|
# This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make the device more difficult to enumerate on the network and prevent clock fingerprinting through ICMP timestamps.
|
|
net.ipv4.icmp_echo_ignore_all=1
|
|
|
|
# Enable ignoring broadcasts request.
|
|
net.ipv4.icmp_echo_ignore_broadcasts=1
|
|
|
|
# This helps protect against SYN flood attacks
|
|
net.ipv4.tcp_syncookies=1
|
|
|
|
# This protects against time-wait assassination by dropping RST packets for sockets in the time-wait state.
|
|
net.ipv4.tcp_rfc1337=1
|
|
|
|
# These enable source validation of packets received from all interfaces of the machine. This protects against IP spoofing, in which an attacker sends a packet with a fraudulent IP address.
|
|
net.ipv4.conf.all.rp_filter=1
|
|
net.ipv4.conf.default.rp_filter=1
|
|
|
|
# These disable ICMP redirect acceptance and sending to prevent man-in-the-middle attacks and minimise information disclosure.
|
|
net.ipv4.conf.all.accept_redirects=0
|
|
net.ipv4.conf.default.accept_redirects=0
|
|
net.ipv4.conf.all.secure_redirects=0
|
|
net.ipv4.conf.default.secure_redirects=0
|
|
net.ipv6.conf.all.accept_redirects=0
|
|
net.ipv6.conf.default.accept_redirects=0
|
|
net.ipv4.conf.all.send_redirects=0
|
|
net.ipv4.conf.default.send_redirects=0
|
|
|
|
# A martian packet is a packet with a source address which is obviously wrong - nothing could possibly be routed back to that address.
|
|
net.ipv4.conf.all.log_martians=1
|
|
net.ipv4.conf.default.log_martians=1
|
|
|
|
net.ipv4.conf.all.forwarding=0
|
|
|
|
# Copyright (c) 2019 - 2024, Marc Weidner, Centurion Intelligence Consulting Agency
|
|
# Descriptions partly Copyright (c) 2022 madaidan, https://madaidans-insecurities.github.io/index.html |