# Name: K4YT3X Hardened sysctl Configuration
# Author: K4YT3X
# Contributor: IceCodeNew
# Contributor: HorlogeSkynet
# Date Created: October 5, 2020
# Last Updated: June 7, 2021

# Licensed under the GNU General Public License Version 3 (GNU GPL v3),
#   available at: https://www.gnu.org/licenses/gpl-3.0.txt
# (C) 2020-2021 K4YT3X

# Multiple sources have been consulted while writing this configuration
#  file (e.g., nixCraft's sysctl.conf). Sources are not cited since this
#  is not an academic document. Please refer to Linux documentations
#  should you have any questions.

########## Kernel ##########

# enable ExecShield protection
# 2 enables ExecShield by default unless applications bits are set to disabled
# uncomment on systems without NX/XD protections
# check with: dmesg | grep --color '[NX|DX]*protection'
#kernel.exec-shield = 2

# enable ASLR
# turn on protection and randomize stack, vdso page and mmap + randomize brk base address
kernel.randomize_va_space = 2

# controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# controls whether core dumps will append the PID to the core filename
# useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# restrict access to kernel address
# kernel pointers printed using %pK will be replaced with 0’s regardless of privileges
kernel.kptr_restrict = 2

# Ptrace protection using Yama
#   - 1: only a parent process can be debugged
#   - 2: only admins canuse ptrace (CAP_SYS_PTRACE capability required)
#   - 3: disables ptrace completely, reboot is required to re-enable ptrace
kernel.yama.ptrace_scope = 3

# restrict kernel logs to root only
kernel.dmesg_restrict = 1

# restrict BPF JIT compiler to root only
kernel.unprivileged_bpf_disabled = 1

# disables kexec as it can be used to livepatch the running kernel
kernel.kexec_load_disabled = 1

# disable unprivileged user namespaces to decrease attack surface
kernel.unprivileged_userns_clone = 0

# allow for more PIDs
# this value can be up to:
#   - 32768 (2^15) on a 32-bit system
#   - 4194304 (2^22) on a 64-bit system
kernel.pid_max = 4194304

# reboot machine after kernel panic
#kernel.panic = 10

# restrict perf subsystem usage
kernel.perf_event_paranoid = 3
kernel.perf_cpu_time_max_percent = 1
kernel.perf_event_max_sample_rate = 1

########## File System ##########

# disallow core dumping by SUID/SGID programs
fs.suid_dumpable = 0

# protect the creation of hard links
# one of the following conditions must be fulfilled
#   - the user can only link to files that he or she owns
#   - the user must first have read and write access to a file, that he/she wants to link to
fs.protected_hardlinks = 1

# protect the creation of symbolic links
# one of the following conditions must be fulfilled
#   - the process following the symbolic link is the owner of the symbolic link
#   - the owner of the directory is also the owner of the symbolic link
fs.protected_symlinks = 1

# enable extended FIFO protection
fs.protected_fifos = 2

# similar to protected_fifos, but it avoids writes to an attacker-controlled regular file
fs.protected_regular = 2

# increase system file descriptor limit
# this value can be up to:
#   - 2147483647 (0x7fffffff) on a 32-bit system
#   - 9223372036854775807 (0x7fffffffffffffff) on a 64-bit system
# be aware that the Linux kernel documentation suggests that inode-max should be 3-4 times
#   larger than this value
fs.file-max = 9223372036854775807

# increase the amount of files that can be watched
# each file watch handle takes 1080 bytes
# up to 540 MiB of memory will be consumed if all 524288 handles are used
fs.inotify.max_user_watches = 524288

########## Virtualization ##########

# do not allow mmap in lower addresses
vm.mmap_min_addr = 65536

# improve mmap ASLR effectness
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16

########## Networking ##########

# increase the maximum length of processor input queues
net.core.netdev_max_backlog = 250000

# enable BPF JIT hardening for all users
# this trades off performance, but can mitigate JIT spraying
net.core.bpf_jit_harden = 2

# increase TCP max buffer size setable using setsockopt()
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.rmem_default = 8388608
#net.core.wmem_default = 8388608
#net.core.optmem_max = 8388608

########## IPv4 Networking ##########

# enable BBR congestion control
net.ipv4.tcp_congestion_control = bbr

# disallow IPv4 packet forwarding
net.ipv4.ip_forward = 0

# enable SYN cookies for SYN flooding protection
net.ipv4.tcp_syncookies = 1

# number of times SYNACKs for a passive TCP connection attempt will be retransmitted
net.ipv4.tcp_synack_retries = 5

# do not send redirects
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# do not accept packets with SRR option
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0

# enable reverse path source validation (BCP38)
# refer to RFC1812, RFC2827, and BCP38 (http://www.bcp38.info)
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

# log packets with impossible addresses to kernel log
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1

# do not accept ICMP redirect messages
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0

# disable sending and receiving of shared media redirects
# this setting overwrites net.ipv4.conf.all.secure_redirects
# refer to RFC1620
net.ipv4.conf.default.shared_media = 0
net.ipv4.conf.all.shared_media = 0

# always use the best local address for announcing local IP via ARP
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2

# reply only if the target IP address is local address configured on the incoming interface
net.ipv4.conf.default.arp_ignore = 1
net.ipv4.conf.all.arp_ignore = 1

# drop Gratuitous ARP frames to prevent ARP poisoning
# this can cause issues when ARP proxies are used in the network
net.ipv4.conf.default.drop_gratuitous_arp = 1
net.ipv4.conf.all.drop_gratuitous_arp = 1

# ignore all ICMP echo requests
#net.ipv4.icmp_echo_ignore_all = 1

# ignore all ICMP echo and timestamp requests sent to broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1

# ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

# mitigate TIME-WAIT Assassination hazards in TCP
# refer to RFC1337
net.ipv4.tcp_rfc1337 = 1

# disable TCP window scaling
# this makes the host less susceptible to TCP RST DoS attacks
net.ipv4.tcp_window_scaling = 0

# increase system IP port limits
net.ipv4.ip_local_port_range = 1024 65535

# TCP timestamps could provide protection against wrapped sequence numbers,
#   but the host's uptime can be calculated precisely from its timestamps
# it is also possible to differentiate operating systems based on their use of timestamps
# - 0: disable TCP timestamps
# - 1: enable timestamps as defined in RFC1323 and use random offset for
#        each connection rather than only using the current time
# - 2: enable timestamps without random offsets
net.ipv4.tcp_timestamps = 0

# Refer to: https://dropbox.tech/infrastructure/optimizing-web-servers-for-high-throughput-and-low-latency
# the main problem with slowstart after idle is that “idle” is defined as one RTO, which is too small.
# Refer to: https://hpbn.co/building-blocks-of-tcp/#slow-start-restart
# Not surprisingly, SSR can have a significant impact on performance of long-lived TCP connections that may idle for bursts of time — e.g., due to user inactivity.
# As a result, it is generally recommended to disable SSR on the server to help improve performance of long-lived HTTP connections.
# Refer to: https://github.com/httpwg/http2-spec/wiki/Ops
# This drops cwnd back down to initcwnd and goes back to slow start after the connection has been “idle” (defined as the RTO). This kills persistent single connection performance and should be turned off.
net.ipv4.tcp_slow_start_after_idle = 0

# enabling SACK can increase the throughput
# but SACK is commonly exploited and rarely used
net.ipv4.tcp_sack = 0

# divide socket buffer evenly between TCP window size and application
net.ipv4.tcp_adv_win_scale = 1

# increase memory thresholds to prevent packet dropping
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608

########## IPv6 Networking ##########

# disallow IPv6 packet forwarding
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0

# number of Router Solicitations to send until assuming no routers are present
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.all.router_solicitations = 0

# do not accept Router Preference from RA
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 0

# learn prefix information in router advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_pinfo = 0

# setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_defrtr = 0

# router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.autoconf = 0

# number of neighbor solicitations to send out per address
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.all.dad_transmits = 0

# number of global unicast IPv6 addresses can be assigned to each interface
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.all.max_addresses = 1

# enable IPv6 Privacy Extensions (RFC3041) and prefer the temporary address
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2

# ignore IPv6 ICMP redirect messages
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# do not accept packets with SRR option
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# ignore all ICMPv6 echo requests
#net.ipv6.icmp.echo_ignore_all = 1
#net.ipv6.icmp.echo_ignore_anycast = 1
#net.ipv6.icmp.echo_ignore_multicast = 1