diff options
Diffstat (limited to 'etc')
4 files changed, 106 insertions, 0 deletions
diff --git a/etc/hostapd/appliance/sysctl.conf.sample b/etc/hostapd/appliance/sysctl.conf.sample new file mode 100644 index 0000000..a1cd6fd --- /dev/null +++ b/etc/hostapd/appliance/sysctl.conf.sample @@ -0,0 +1,43 @@ +# IP traffic forwarding. +net.ipv4.ip_forward = 1 + +# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name. +net.ipv4.tcp_syncookies = 1 + +# Prevents ip spoofing. +net.ipv4.conf.default.rp_filter = 1 +net.ipv4.conf.all.rp_filter = 1 + +# Only groups within this id range can use ping. +net.ipv4.ping_group_range=999 59999 + +# Redirects can potentially be used to maliciously alter hosts routing +# tables. +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 1 + +# The source routing feature includes some known vulnerabilities. +net.ipv4.conf.all.accept_source_route = 0 + +# See RFC 1337 +net.ipv4.tcp_rfc1337 = 1 + +# Restart after 30 seconds after kernel panic +kernel.panic = 30 + +# Users should not be able to create soft or hard links to files +# which they do not own. This mitigates several privilege +# escalation vulnerabilities. +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 + +# Maximum number of network connections, which is 1024 per 128 MB. If +# the value is too low, network packets may get dropped. +net.netfilter.nf_conntrack_max = 1048576 +net.nf_conntrack_max = 1048576 + +# Only live IPTables connections are kept track of, dead connections +# are removed by a timeout period. By reducing this value, the +# tracking table becomes lean which is optimal for high traffic. +# Lowering this value might break long-running idle TCP connections. +net.netfilter.nf_conntrack_tcp_timeout_established = 3600 diff --git a/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample b/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample new file mode 100644 index 0000000..29bd382 --- /dev/null +++ b/etc/optional/ipv6/hostapd/appliance/sysctl.d/ipv6.conf.sample @@ -0,0 +1,10 @@ +# Enable IPv6 Privacy Extensions (see RFC 4941 and RFC 3041) +net.ipv6.conf.all.use_tempaddr = 2 +net.ipv6.conf.default.use_tempaddr = 2 + +# Redirects can potentially be used to maliciously alter hosts routing +# tables. +net.ipv6.conf.all.accept_redirects = 0 + +# The source routing feature includes some known vulnerabilities. +net.ipv6.conf.all.accept_source_route = 0 diff --git a/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample b/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample new file mode 100644 index 0000000..29bd382 --- /dev/null +++ b/etc/optional/ipv6/wpa_supplicant/appliance/sysctl.d/ipv6.conf.sample @@ -0,0 +1,10 @@ +# Enable IPv6 Privacy Extensions (see RFC 4941 and RFC 3041) +net.ipv6.conf.all.use_tempaddr = 2 +net.ipv6.conf.default.use_tempaddr = 2 + +# Redirects can potentially be used to maliciously alter hosts routing +# tables. +net.ipv6.conf.all.accept_redirects = 0 + +# The source routing feature includes some known vulnerabilities. +net.ipv6.conf.all.accept_source_route = 0 diff --git a/etc/wpa_supplicant/appliance/sysctl.conf.sample b/etc/wpa_supplicant/appliance/sysctl.conf.sample new file mode 100644 index 0000000..a1cd6fd --- /dev/null +++ b/etc/wpa_supplicant/appliance/sysctl.conf.sample @@ -0,0 +1,43 @@ +# IP traffic forwarding. +net.ipv4.ip_forward = 1 + +# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name. +net.ipv4.tcp_syncookies = 1 + +# Prevents ip spoofing. +net.ipv4.conf.default.rp_filter = 1 +net.ipv4.conf.all.rp_filter = 1 + +# Only groups within this id range can use ping. +net.ipv4.ping_group_range=999 59999 + +# Redirects can potentially be used to maliciously alter hosts routing +# tables. +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 1 + +# The source routing feature includes some known vulnerabilities. +net.ipv4.conf.all.accept_source_route = 0 + +# See RFC 1337 +net.ipv4.tcp_rfc1337 = 1 + +# Restart after 30 seconds after kernel panic +kernel.panic = 30 + +# Users should not be able to create soft or hard links to files +# which they do not own. This mitigates several privilege +# escalation vulnerabilities. +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 + +# Maximum number of network connections, which is 1024 per 128 MB. If +# the value is too low, network packets may get dropped. +net.netfilter.nf_conntrack_max = 1048576 +net.nf_conntrack_max = 1048576 + +# Only live IPTables connections are kept track of, dead connections +# are removed by a timeout period. By reducing this value, the +# tracking table becomes lean which is optimal for high traffic. +# Lowering this value might break long-running idle TCP connections. +net.netfilter.nf_conntrack_tcp_timeout_established = 3600 |