From 3ea204497db86ae5f7fb4fff0d83d875f09bee74 Mon Sep 17 00:00:00 2001
From: K4YT3X <k4yt3x@k4yt3x.com>
Date: Mon, 7 Jun 2021 22:03:11 +0000
Subject: [PATCH] tweaked perf restrictions, disallowed IPv6 SRR and redirects

---
 sysctl.conf | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/sysctl.conf b/sysctl.conf
index d88b33a..dacbeb7 100644
--- a/sysctl.conf
+++ b/sysctl.conf
@@ -1,12 +1,13 @@
 # Name: K4YT3X Hardened sysctl Configuration
 # Author: K4YT3X
-# Contributors: IceCodeNew
+# Contributor: IceCodeNew
+# Contributor: HorlogeSkynet
 # Date Created: October 5, 2020
-# Last Updated: October 29, 2020
+# Last Updated: June 7, 2021
 
 # Licensed under the GNU General Public License Version 3 (GNU GPL v3),
 #   available at: https://www.gnu.org/licenses/gpl-3.0.txt
-# (C) 2020 K4YT3X
+# (C) 2020-2021 K4YT3X
 
 # Multiple sources have been consulted while writing this configuration
 #  file (e.g., nixCraft's sysctl.conf). Sources are not cited since this
@@ -64,7 +65,7 @@ kernel.pid_max = 4194304
 #kernel.panic = 10
 
 # restrict perf subsystem usage
-kernel.perf_event_paranoid = 2
+kernel.perf_event_paranoid = 3
 kernel.perf_cpu_time_max_percent = 1
 kernel.perf_event_max_sample_rate = 1
 
@@ -263,6 +264,14 @@ net.ipv6.conf.all.max_addresses = 1
 net.ipv6.conf.default.use_tempaddr = 2
 net.ipv6.conf.all.use_tempaddr = 2
 
+# ignore IPv6 ICMP redirect messages
+net.ipv6.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+
+# do not accept packets with SRR option
+net.ipv6.conf.default.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+
 # ignore all ICMPv6 echo requests
 #net.ipv6.icmp.echo_ignore_all = 1
 #net.ipv6.icmp.echo_ignore_anycast = 1