tweaked perf restrictions, disallowed IPv6 SRR and redirects

2025-12-29 16:16:10 +00:00 · 2021-06-07 22:03:11 +00:00
parent 50d77687e4
commit 3ea204497d
1 changed files with 13 additions and 4 deletions
--- a/sysctl.conf
+++ b/sysctl.conf
@@ -1,12 +1,13 @@
 # Name: K4YT3X Hardened sysctl Configuration
 # Author: K4YT3X
-# Contributors: IceCodeNew
+# Contributor: IceCodeNew
+# Contributor: HorlogeSkynet
 # Date Created: October 5, 2020
-# Last Updated: October 29, 2020
+# Last Updated: June 7, 2021

 # Licensed under the GNU General Public License Version 3 (GNU GPL v3),
 #   available at: https://www.gnu.org/licenses/gpl-3.0.txt
-# (C) 2020 K4YT3X
+# (C) 2020-2021 K4YT3X

 # Multiple sources have been consulted while writing this configuration
 #  file (e.g., nixCraft's sysctl.conf). Sources are not cited since this
@@ -64,7 +65,7 @@ kernel.pid_max = 4194304
 #kernel.panic = 10

 # restrict perf subsystem usage
-kernel.perf_event_paranoid = 2
+kernel.perf_event_paranoid = 3
 kernel.perf_cpu_time_max_percent = 1
 kernel.perf_event_max_sample_rate = 1

@@ -263,6 +264,14 @@ net.ipv6.conf.all.max_addresses = 1
 net.ipv6.conf.default.use_tempaddr = 2
 net.ipv6.conf.all.use_tempaddr = 2

+# ignore IPv6 ICMP redirect messages
+net.ipv6.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+
+# do not accept packets with SRR option
+net.ipv6.conf.default.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+
 # ignore all ICMPv6 echo requests
 #net.ipv6.icmp.echo_ignore_all = 1
 #net.ipv6.icmp.echo_ignore_anycast = 1