summaryrefslogtreecommitdiff
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to 'etc')
-rw-r--r--etc/hostapd/appliance/sysctl.conf.sample43
-rw-r--r--etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample10
-rw-r--r--etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample10
-rw-r--r--etc/wpa_supplicant/appliance/sysctl.conf.sample43
4 files changed, 106 insertions, 0 deletions
diff --git a/etc/hostapd/appliance/sysctl.conf.sample b/etc/hostapd/appliance/sysctl.conf.sample
new file mode 100644
index 0000000..a1cd6fd
--- /dev/null
+++ b/etc/hostapd/appliance/sysctl.conf.sample
@@ -0,0 +1,43 @@
+# IP traffic forwarding.
+net.ipv4.ip_forward = 1
+
+# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
+net.ipv4.tcp_syncookies = 1
+
+# Prevents ip spoofing.
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+
+# Only groups within this id range can use ping.
+net.ipv4.ping_group_range=999 59999
+
+# Redirects can potentially be used to maliciously alter hosts routing
+# tables.
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 1
+
+# The source routing feature includes some known vulnerabilities.
+net.ipv4.conf.all.accept_source_route = 0
+
+# See RFC 1337
+net.ipv4.tcp_rfc1337 = 1
+
+# Restart after 30 seconds after kernel panic
+kernel.panic = 30
+
+# Users should not be able to create soft or hard links to files
+# which they do not own. This mitigates several privilege
+# escalation vulnerabilities.
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+# Maximum number of network connections, which is 1024 per 128 MB. If
+# the value is too low, network packets may get dropped.
+net.netfilter.nf_conntrack_max = 1048576
+net.nf_conntrack_max = 1048576
+
+# Only live IPTables connections are kept track of, dead connections
+# are removed by a timeout period. By reducing this value, the
+# tracking table becomes lean which is optimal for high traffic.
+# Lowering this value might break long-running idle TCP connections.
+net.netfilter.nf_conntrack_tcp_timeout_established = 3600
diff --git a/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample b/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample
new file mode 100644
index 0000000..29bd382
--- /dev/null
+++ b/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample
@@ -0,0 +1,10 @@
+# Enable IPv6 Privacy Extensions (see RFC 4941 and RFC 3041)
+net.ipv6.conf.all.use_tempaddr = 2
+net.ipv6.conf.default.use_tempaddr = 2
+
+# Redirects can potentially be used to maliciously alter hosts routing
+# tables.
+net.ipv6.conf.all.accept_redirects = 0
+
+# The source routing feature includes some known vulnerabilities.
+net.ipv6.conf.all.accept_source_route = 0
diff --git a/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample b/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample
new file mode 100644
index 0000000..29bd382
--- /dev/null
+++ b/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample
@@ -0,0 +1,10 @@
+# Enable IPv6 Privacy Extensions (see RFC 4941 and RFC 3041)
+net.ipv6.conf.all.use_tempaddr = 2
+net.ipv6.conf.default.use_tempaddr = 2
+
+# Redirects can potentially be used to maliciously alter hosts routing
+# tables.
+net.ipv6.conf.all.accept_redirects = 0
+
+# The source routing feature includes some known vulnerabilities.
+net.ipv6.conf.all.accept_source_route = 0
diff --git a/etc/wpa_supplicant/appliance/sysctl.conf.sample b/etc/wpa_supplicant/appliance/sysctl.conf.sample
new file mode 100644
index 0000000..a1cd6fd
--- /dev/null
+++ b/etc/wpa_supplicant/appliance/sysctl.conf.sample
@@ -0,0 +1,43 @@
+# IP traffic forwarding.
+net.ipv4.ip_forward = 1
+
+# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
+net.ipv4.tcp_syncookies = 1
+
+# Prevents ip spoofing.
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.conf.all.rp_filter = 1
+
+# Only groups within this id range can use ping.
+net.ipv4.ping_group_range=999 59999
+
+# Redirects can potentially be used to maliciously alter hosts routing
+# tables.
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 1
+
+# The source routing feature includes some known vulnerabilities.
+net.ipv4.conf.all.accept_source_route = 0
+
+# See RFC 1337
+net.ipv4.tcp_rfc1337 = 1
+
+# Restart after 30 seconds after kernel panic
+kernel.panic = 30
+
+# Users should not be able to create soft or hard links to files
+# which they do not own. This mitigates several privilege
+# escalation vulnerabilities.
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+# Maximum number of network connections, which is 1024 per 128 MB. If
+# the value is too low, network packets may get dropped.
+net.netfilter.nf_conntrack_max = 1048576
+net.nf_conntrack_max = 1048576
+
+# Only live IPTables connections are kept track of, dead connections
+# are removed by a timeout period. By reducing this value, the
+# tracking table becomes lean which is optimal for high traffic.
+# Lowering this value might break long-running idle TCP connections.
+net.netfilter.nf_conntrack_tcp_timeout_established = 3600