# /etc/sysctl.d/99-security.conf
# === 网络层安全 ===
# 禁用 IP 转发 (非路由节点)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# 防止 IP 欺骗
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# 忽略 ICMP 广播
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 忽略 ICMP 重定向 (防止中间人)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# 不发送重定向
net.ipv4.conf.all.send_redirects = 0
# 记录 Martian 包 (不可路由的源地址)
net.ipv4.conf.all.log_martians = 1
# SYN Cookie (防御 SYN Flood)
net.ipv4.tcp_syncookies = 1
# === 内核安全 ===
# 限制访问内核日志
kernel.dmesg_restrict = 1
# 限制内核指针
kernel.kptr_restrict = 2
# ASLR 地址空间随机化
kernel.randomize_va_space = 2
# 限制 perf_event (防信息泄露)
kernel.perf_event_paranoid = 2
# 限制 BPF (防权限提升)
kernel.unprivileged_bpf_disabled = 1
# Core dump 限制
fs.suid_dumpable = 0
kernel.core_pattern = |/bin/false
# ptrace 限制 (仅同 uid 可跟踪)
kernel.yama.ptrace_scope = 1