Sysctl references Arch TCP/IP stack hardening, Cyberciti Nginx Hardning, Cyberciti Security Hardening, Grsecurity and PaX Configuration.
Since kernels on c9-ports have PaX and grsecurity, /etc/sysctl.conf can have follow values;
# # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) # kernel.printk = 7 1 1 4 kernel.randomize_va_space = 2 # Shared Memory #kernel.shmmax = 500000000 # Total allocated file handlers that can be allocated # fs.file-nr= vm.mmap_min_addr=65536 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 # # Memory Protections # # If you say Y here, all ioperm and iopl calls will return an error. # Ioperm and iopl can be used to modify the running kernel. # Unfortunately, some programs need this access to operate properly, # the most notable of which are XFree86 and hwclock. hwclock can be # remedied by having RTC support in the kernel, so real-time # clock support is enabled if this option is enabled, to ensure # that hwclock operates correctly. # # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. kernel.grsecurity.disable_priv_io = 1 # If you say Y here, attempts to bruteforce exploits against forking # daemons such as apache or sshd, as well as against suid/sgid binaries # will be deterred. When a child of a forking daemon is killed by PaX # or crashes due to an illegal instruction or other suspicious signal, # the parent process will be delayed 30 seconds upon every subsequent # fork until the administrator is able to assess the situation and # restart the daemon. # In the suid/sgid case, the attempt is logged, the user has all their # existing instances of the suid/sgid binary terminated and will # be unable to execute any suid/sgid binaries for 15 minutes. # # It is recommended that you also enable signal logging in the auditing # section so that logs are generated when a process triggers a suspicious # signal. # If the sysctl option is enabled, a sysctl option with name # "deter_bruteforce" is created. kernel.grsecurity.deter_bruteforce = 1 # # Filesystem Protections # # Optimization for port usefor LBs # Increase system file descriptor limit fs.file-max = 65535 # If you say Y here, /tmp race exploits will be prevented, since users # will no longer be able to follow symlinks owned by other users in # world-writable +t directories (e.g. /tmp), unless the owner of th#!/bin/sh # Start a Linux container containing the mu/ directory. # Useful on non-Linux platforms. # Run it from the top-level mu/ directory. docker run -it --name mu -v `pwd`:/mu abyssos/abyss:dev # On the first startup, you'll need to run the following commands: # apk add git nano libcxx-dev # cd /mu # Leaving this container will stop it. # Restart it with: # docker start mu # # Now you can connect to it anytime with: # docker exec -it mu sh # cd /mu # # Quite slow, though. Docker has to run a VM on other platforms.