diff options
| author | Silvino Silva <silvino@bk.ru> | 2017-02-23 03:28:55 +0000 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2017-02-23 03:29:38 +0000 |
| commit | 193f4b8486ec0d6e7692629481a35312fc6a56c5 (patch) | |
| tree | 5904ba6cf3661a881a85aa7ed1b45817fead7ab1 | |
| parent | 4618fd2ed2d71e88bb8f95099992d57d9400bee8 (diff) | |
| download | doc-193f4b8486ec0d6e7692629481a35312fc6a56c5.tar.gz | |
index revision
| -rw-r--r-- | core/index.html | 5 | ||||
| -rw-r--r-- | core/linux.html | 87 | ||||
| -rw-r--r-- | dev/index.html | 2 | ||||
| -rw-r--r-- | index.html | 2 | ||||
| -rw-r--r-- | tools/index.html | 8 |
5 files changed, 86 insertions, 18 deletions
diff --git a/core/index.html b/core/index.html index abff93d..6859376 100644 --- a/core/index.html +++ b/core/index.html @@ -75,7 +75,8 @@ <li><a href="linux.html#linuxlibre">2.1.1. Port Linux libre</a></li> <li><a href="linux.html#kinstall">2.1.2. Manual install</a></li> <li><a href="linux.html#kuninstall">2.1.3. Manual remove</a></li> - <li><a href="linux.html#sysctl">2.1.4. Sysctl</a></li> + <li><a href="linux.html#dracut">2.1.4. Dracut</a></li> + <li><a href="linux.html#sysctl">2.1.5. Sysctl</a></li> </ul> </li> @@ -122,7 +123,7 @@ <p> This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/linux.html b/core/linux.html index 1f3b4ba..903d9e2 100644 --- a/core/linux.html +++ b/core/linux.html @@ -103,6 +103,47 @@ $ sudo rm /boot/System.map-4.9.11-gnu </pre> + <h2 id="dracut">2.1.4. Dracut</h2> + + <p>Install dracut;</p> + + <pre> + # cd /usr/ports/c9-ports/dracut + # pkgmk -d + # pkgadd /usr/ports/packages/dracut#044-2.pkg.tar.gz + </pre> + + <p>Review configuration file;</p> + + <pre> + # PUT YOUR CONFIG IN separate files + # in /etc/dracut.conf.d named "<name>.conf" + + # Equivalent to -H + hostonly="yes" + + # Mount / and /usr read-only by default. + ro_mnt="no" + + # Equivalent to -m "module module module" + dracutmodules+="dash kernel-modules rootfs-block udev-rules usrmount base fs-lib shutdown" + + # Equivalent to -a "module" + add_dracutmodules+="caps debug" + + # Equivalent to -o "module" + #omit_dracutmodules+="systemd systemd-bootchart systemd-networkd systemd-initrd" + + # SEE man dracut.conf(5) for options + </pre> + + <p>Run dracut to create init ram filesystem for + port linux-blob kernel;</p> + + <pre> + # dracut -v /boot/initramfs-4.9.11-blob.img 4.9.11-blob + </pre> + <h2 id="sysctl">2.1.4. Sysctl</h2> <p>Sysctl references @@ -121,9 +162,14 @@ # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) # - kernel.printk = 15 1 1 4 - kernel.randomize_va_space = 1 + kernel.printk = 7 1 1 4 + kernel.randomize_va_space = 2 + kernel.kptr_restrict = 2 + # Shared Memory kernel.shmmax = 500000000 + # Total allocated file handlers that can be allocated + # fs.file-nr= + vm.mmap_min_addr=65536 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 @@ -536,7 +582,7 @@ #net.ipv6.conf.default.dad_transmits = 0 #net.ipv6.conf.default.max_addresses = 0 - # Avoid a smurf attack + # Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages @@ -565,10 +611,6 @@ ## ignore echo broadcast requests to prevent being part of smurf attacks (default) net.ipv4.icmp_echo_ignore_broadcasts = 1 - # No source routed packets here - net.ipv4.conf.all.accept_source_route = 0 - net.ipv4.conf.default.accept_source_route = 0 - ## sets the kernels reverse path filtering mechanism to value 1(on) ## will do source validation of the packet's recieved from all the interfaces on the machine ## protects from attackers that are using ip spoofing methods to do harm @@ -577,16 +619,23 @@ #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 + # Make sure no one can alter the routing tables + # Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 + # No source routed packets here + # Discard packets with source routes, ip spoofing + net.ipv4.conf.all.accept_source_route = 0 + net.ipv4.conf.default.accept_source_route = 0 - # Act as a router, necessary for Access Point - net.ipv4.ip_forward = 1 - net.ipv4.conf.all.send_redirects = 1 - net.ipv4.conf.default.send_redirects = 1 + + net.ipv4.conf.all.send_redirects = 0 + net.ipv4.conf.default.send_redirects = 0 + + net.ipv4.ip_forward = 0 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 @@ -595,6 +644,20 @@ net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 + # Disable proxy_arp + net.ipv4.conf.default.proxy_arp = 0 + net.ipv4.conf.all.proxy_arp = 0 + + # Disable bootp_relay + net.ipv4.conf.default.bootp_relay = 0 + net.ipv4.conf.all.bootp_relay = 0 + + # Decrease TCP fin timeout + net.ipv4.tcp_fin_timeout = 30 + # Decrease TCP keep alive time + net.ipv4.tcp_keepalive_time = 1800 + # Sen SynAck retries to 3 + net.ipv4.tcp_synack_retries = 3 # If you say Y here, neither TCP resets nor ICMP # destination-unreachable packets will be sent in response to packets @@ -688,8 +751,6 @@ # #kernel.grsecurity.grsec_lock = 1 - - # End of file </pre> diff --git a/dev/index.html b/dev/index.html index befe5d6..cb238d7 100644 --- a/dev/index.html +++ b/dev/index.html @@ -119,7 +119,7 @@ <a href="../index.html">Documentation Index</a> <p> This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/index.html b/index.html index 96dd4cd..bde784f 100644 --- a/index.html +++ b/index.html @@ -18,7 +18,7 @@ <h2>Ports</h2> - <p>Httup file + <p>Httup file <a href="core/conf/ports/c9-ports.httpup">c9-ports.httpup</a> of c9-ports <a href="https://s1lvino.github.io/c9-ports/">c9-ports</a> </p> diff --git a/tools/index.html b/tools/index.html index 71fc2e4..da1cd40 100644 --- a/tools/index.html +++ b/tools/index.html @@ -68,6 +68,12 @@ <h2>System Administration</h2> <ul> + <li><a href="hardening.html">Hardening</a> + <ul> + <li><a href="grsecurity.html">Grsecurity</a></li> + <li><a href="samhain.html">Samhain</a></li> + </ul> + </li> <li><a href="network.html">Network Tools</a> <ul> <li><a href="dnsmasq.html">Dnscrypt and Dnsmasq</a></li> @@ -169,7 +175,7 @@ <p> This is part of the c9-doc Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> |