141 lines
8.2 KiB
Plaintext
141 lines
8.2 KiB
Plaintext
###########################################################################################
|
|
# Debian Bookworm VPS Hardening Setup Script V5.42.128.2024.10.30 #
|
|
###########################################################################################
|
|
# Copyright (c) 2018 - 2024, Marc Simon Weidner, Centurion Intelligence Consulting Agency #
|
|
# https://coresecret.eu/ #
|
|
# Licensed under the EUROPEAN UNION PUBLIC LICENCE v. 1.2 https://eupl.eu/1.2/en/ #
|
|
###########################################################################################
|
|
# https://keys.openpgp.org/vks/v1/by-fingerprint/A6D46A56AE17A185AB0F6DB77095A8A13CBE0FA3 #
|
|
# Fingerprint A6D4 6A56 AE17 A185 AB0F 6DB7 7095 A8A1 3CBE 0FA3 ## valid till: 01.01.2031 #
|
|
###########################################################################################
|
|
# ! Warning ! #
|
|
# Be careful not to lock yourself out of your system after a restart due to incorrect #
|
|
# settings. For example, 'kernel.modules_disabled=1' will usually prevent the network #
|
|
# stack from being brought up after a reboot, which means NO SSH. #
|
|
###########################################################################################
|
|
|
|
##### Linux Kernel #####
|
|
|
|
# Disable loading new modules. Be careful with using this option !
|
|
kernel.modules_disabled=1
|
|
|
|
# Restricting access to kernel pointers.
|
|
kernel.kptr_restrict=2
|
|
|
|
# Restricting access to kernel logs.
|
|
kernel.dmesg_restrict=1
|
|
|
|
#Despite the value of dmesg_restrict, the kernel log will still be displayed in the console during boot. This option prevents those information leaks.
|
|
kernel.printk=3 3 3 3
|
|
|
|
# Restricting eBPF to the CAP_BPF capability
|
|
kernel.unprivileged_bpf_disabled=1
|
|
net.core.bpf_jit_harden=2
|
|
|
|
# Restricting loading TTY line disciplines to the CAP_SYS_MODULE capability
|
|
dev.tty.ldisc_autoload=0
|
|
|
|
# The userfaultfd() syscall is often abused to exploit use-after-free flaws. This sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.
|
|
vm.unprivileged_userfaultfd=0
|
|
|
|
# kexec is a system call that is used to boot another kernel during runtime. This functionality can be abused to load a malicious kernel and gain arbitrary code execution in kernel mode, so this sysctl disables it.
|
|
kernel.kexec_load_disabled=1
|
|
|
|
# The SysRq key exposes a lot of potentially dangerous debugging functionality to unprivileged users. You can simply set the value to 0 to disable SysRq completely.
|
|
kernel.sysrq=0
|
|
|
|
# Randomise memory space.
|
|
kernel.randomize_va_space=2
|
|
|
|
# These prevent creating files in potentially attacker-controlled environments, such as world-writable directories.
|
|
fs.protected_fifos=2
|
|
fs.protected_regular=2
|
|
|
|
# This only permits symlinks to be followed when outside of a world-writable sticky directory, when the owner of the symlink and follower match or when the directory owner matches the symlink's owner.
|
|
fs.protected_symlinks=1
|
|
fs.protected_hardlinks=1
|
|
|
|
# ptrace is a system call that allows a program to alter and inspect another running process, which allows attackers to trivially modify the memory of other running programs.
|
|
# 0 - classic ptrace permissions:
|
|
# a process can PTRACE_ATTACH to any other process running under the same uid, as long as it is dumpable (i.e. did not transition uids, start privileged, or have called prctl(PR_SET_DUMPABLE...) already). Similarly, PTRACE_TRACEME is unchanged.
|
|
#
|
|
# 1 - restricted ptrace:
|
|
# a process must have a predefined relationship with the inferior it wants to call PTRACE_ATTACH on. By default, this relationship is that of only its descendants when the above classic criteria is also met. To change the relationship, an inferior can call prctl(PR_SET_PTRACER, debugger, ...) to declare an allowed debugger PID to call PTRACE_ATTACH on the inferior. Using PTRACE_TRACEME is unchanged.
|
|
#
|
|
# 2 - admin-only attach:
|
|
# only processes with CAP_SYS_PTRACE may use ptrace, either with PTRACE_ATTACH or through children calling PTRACE_TRACEME.
|
|
#
|
|
# 3 - no attach:
|
|
# no processes may use ptrace with PTRACE_ATTACH nor via PTRACE_TRACEME. Once set, this sysctl value cannot be changed.
|
|
kernel.yama.ptrace_scope=2
|
|
|
|
# Use filename based on core_pattern value
|
|
kernel.core_uses_pid=1
|
|
|
|
# Performance events add considerable kernel attack surface and have caused abundant vulnerabilities. Be careful, performance might be affected.
|
|
#kernel.perf_event_paranoid=2
|
|
|
|
# ASLR is a common exploit mitigation which randomises the position of critical parts of a process in memory. This can make a wide variety of exploits harder to pull off, as they first require an information leak. The above settings increase the bits of entropy used for mmap ASLR, improving its effectiveness.
|
|
# The values of these sysctls must be set in relation to the CPU architecture. The above values are compatible with x86, but other architectures may differ.
|
|
vm.mmap_rnd_bits=32
|
|
vm.mmap_rnd_compat_bits=16
|
|
|
|
# Similar to core dumps, swapping or paging copies parts of memory to disk, which can contain sensitive information. The kernel should be configured to only swap if absolutely necessary
|
|
vm.swappiness=1
|
|
|
|
# Process that run with elevated privileges may still dump their memory even after these settings.
|
|
fs.suid_dumpable=0
|
|
kernel.core_pattern=|/bin/false
|
|
|
|
|
|
##### Network Stack #####
|
|
|
|
# Disable IP source routing, we are not a router:
|
|
net.ipv4.conf.all.accept_source_route=0
|
|
net.ipv4.conf.default.accept_source_route=0
|
|
net.ipv6.conf.all.accept_source_route=0
|
|
net.ipv6.conf.default.accept_source_route=0
|
|
|
|
# This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make the device more difficult to enumerate on the network and prevent clock fingerprinting through ICMP timestamps.
|
|
net.ipv4.icmp_echo_ignore_all=1
|
|
|
|
# Enable ignoring broadcasts request.
|
|
net.ipv4.icmp_echo_ignore_broadcasts=1
|
|
|
|
# This helps protect against SYN flood attacks
|
|
net.ipv4.tcp_syncookies=1
|
|
|
|
# This protects against time-wait assassination by dropping RST packets for sockets in the time-wait state.
|
|
net.ipv4.tcp_rfc1337=1
|
|
|
|
# These enable source validation of packets received from all interfaces of the machine. This protects against IP spoofing, in which an attacker sends a packet with a fraudulent IP address.
|
|
net.ipv4.conf.all.rp_filter=1
|
|
net.ipv4.conf.default.rp_filter=1
|
|
|
|
# These disable ICMP redirect acceptance and sending to prevent man-in-the-middle attacks and minimise information disclosure.
|
|
net.ipv4.conf.all.accept_redirects=0
|
|
net.ipv4.conf.default.accept_redirects=0
|
|
net.ipv4.conf.all.secure_redirects=0
|
|
net.ipv4.conf.default.secure_redirects=0
|
|
net.ipv6.conf.all.accept_redirects=0
|
|
net.ipv6.conf.default.accept_redirects=0
|
|
net.ipv4.conf.all.send_redirects=0
|
|
net.ipv4.conf.default.send_redirects=0
|
|
|
|
# A martian packet is a packet with a source address which is obviously wrong - nothing could possibly be routed back to that address.
|
|
net.ipv4.conf.all.log_martians=1
|
|
net.ipv4.conf.default.log_martians=1
|
|
|
|
# Deactivates IP forwarding. This means that the system discards packets that are not intended for its own IP addresses. It therefore does not act as a router and does not forward data packets between network interfaces.
|
|
net.ipv4.conf.all.forwarding=0
|
|
|
|
# Disabling RA prevents the system from receiving routing information from potentially insecure or compromised routers. This is particularly important for servers that use static network configurations and should not dynamically accept new IPv6 routes or prefixes. An attacker could otherwise use forged RA messages to change the network route and redirect traffic, for example.
|
|
net.ipv6.conf.all.accept_ra=0
|
|
net.ipv6.conf.default.accept_ra=0
|
|
|
|
# These parameters relate to secure ICMP redirects. ICMP redirects are messages that a router sends to a device to inform it that there is a better route for the data traffic. This setting prevents the system from responding to redirects that have been spoofed by potential attackers to redirect traffic (e.g. for man-in-the-middle attacks).
|
|
net.ipv4.conf.all.secure_redirects=1
|
|
net.ipv4.conf.default.secure_redirects=1
|
|
|
|
# Copyright (c) 2018 - 2024, Marc Simon Weidner, Centurion Intelligence Consulting Agency
|
|
# Descriptions partly Copyright (c) 2022 madaidan, https://madaidans-insecurities.github.io/index.html |