sysctl
Paste ID: d97c1064
Created at: 2025-05-30 00:36:50
#######################################
# NSA-Level Kernel Hardening (Linux) #
# Includes rare and uncommon settings #
#######################################
###############
# FILE SYSTEM #
###############
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.protected_fifos = 2
fs.protected_regular = 2
fs.suid_dumpable = 0 # No core dumps for SUID binaries
##############################
# KERNEL EXPLOIT MITIGATION #
##############################
kernel.randomize_va_space = 2 # Full ASLR
kernel.kptr_restrict = 2 # Hide kernel pointers
kernel.dmesg_restrict = 1 # Restrict dmesg to root only
kernel.yama.ptrace_scope = 2 # Restrict ptrace to child processes
kernel.unprivileged_bpf_disabled = 1 # Disable unprivileged eBPF (kernel 5.8+)
kernel.sysrq = 0 # Disable magic SysRq keys
####################
# MEMORY SECURITY #
####################
vm.mmap_min_addr = 65536 # Prevent NULL pointer dereference attacks
vm.overcommit_memory = 2 # Never overcommit memory
vm.overcommit_ratio = 50 # Allow only 50% commit
vm.panic_on_oom = 1 # Panic on OOM (for containers or sensitive hosts)
##################
# CORE DUMPING #
##################
fs.suid_dumpable = 0
kernel.core_uses_pid = 0
kernel.core_pattern = |/bin/false # Prevent all core dumps
######################
# NETWORK HARDENING #
######################
# General IP Protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
# TCP Hardening
net.ipv4.tcp_timestamps = 0 # Prevent fingerprinting
net.ipv4.tcp_sack = 0 # Disable SACK (can be used in DoS)
net.ipv4.tcp_dsack = 0
net.ipv4.tcp_rfc1337 = 1 # Protect against TIME-WAIT assassination
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_max_orphans = 500
net.ipv4.ip_local_port_range = 2000 65000
# ICMP Rate Limits
net.ipv4.icmp_ratelimit = 100
net.ipv4.icmp_ratemask = 88089
# IPv6 (disable unless required)
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Source Routing for IPv6
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Redirects and RA for IPv6
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.router_solicitations = 0
net.ipv6.conf.default.router_solicitations = 0
##############################
# RARE / ADVANCED SETTINGS #
##############################
# Restrict loading of kernel modules
kernel.modules_disabled = 0 # Set to 1 to permanently disable module loading (irreversible without reboot)
# Realtime scheduler restrictions
kernel.sched_rt_runtime_us = 950000
# SYN flood tuning
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.netfilter.ip_conntrack_max = 65535
# Turn off magic SysRq
kernel.sysrq = 0
# Disable IPv6 autoconf and privacy extensions
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.use_tempaddr = 0
# Disable multicast
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.conf.all.mc_forwarding = 0
# Disable proxy ARP
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
#####################################
# APPLY WITH: sysctl --system #
#####################################