Lock dat sh*t down — Linux box tweak
Lets optimize and secure our Ubuntu or *nix box:
There are very important settings in /etc/sysctl.conf
#Disable ICMP echo (ping) replies for IPv4:
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1
#Disable ICMP echo (ping) replies for IPv6:
sudo sysctl -w net.ipv6.icmp.echo_ignore_all=1
#Enable IP forwarding for IPv4:
sudo sysctl -w net.ipv4.ip_forward=1
#Enable IP forwarding for IPv6:
sudo sysctl -w net.ipv6.conf.all.forwarding=1
Now edit /etc/fstab — Lets restrict what a user can see about others PID’s
This is a incredibly important and easy update, to /etc/fstab to make it so users cant see eachother processess.
# Add this line to the end of /etc/fstab
proc /proc proc defaults,hidepid=2 0 0
Note: This is the most restrictive setting for hidepid
, enhancing privacy and security on multi-user systems. Remember to remount the proc
filesystem or reboot the system for the changes to take effect.
Security/limits.conf — Fork Bomb
Now after the change I have:
# End of file
* hard nproc 1000
- A reboot is necessary
It can be a pain in the a$$ to prevent fork bombs, your OS may vary. But the fstab entry will work.
$w
04:19:41 up 3 days, 1:50, 2 users, load average: 0.00, 0.00, 0.00
USER TTY LOGIN@ IDLE JCPU PCPU WHAT