Lock dat sh*t down — Linux box tweak

DJ SUBSTANCE
2 min readMar 18, 2024

--

Lets optimize and secure our Ubuntu or *nix box:

There are very important settings in /etc/sysctl.conf

#Disable ICMP echo (ping) replies for IPv4:
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1

#Disable ICMP echo (ping) replies for IPv6:
sudo sysctl -w net.ipv6.icmp.echo_ignore_all=1

#Enable IP forwarding for IPv4:
sudo sysctl -w net.ipv4.ip_forward=1

#Enable IP forwarding for IPv6:
sudo sysctl -w net.ipv6.conf.all.forwarding=1

Now edit /etc/fstab — Lets restrict what a user can see about others PID’s

This is a incredibly important and easy update, to /etc/fstab to make it so users cant see eachother processess.

# Add this line to the end of /etc/fstab
proc /proc proc defaults,hidepid=2 0 0
This is what it should resemble once you made the change

Note: This is the most restrictive setting for hidepid, enhancing privacy and security on multi-user systems. Remember to remount the proc filesystem or reboot the system for the changes to take effect.

Security/limits.conf — Fork Bomb

Next file to examine is /etc/security/limits.conf

Now after the change I have:

# End of file
* hard nproc 1000

  • A reboot is necessary

It can be a pain in the a$$ to prevent fork bombs, your OS may vary. But the fstab entry will work.

$w
04:19:41 up 3 days, 1:50, 2 users, load average: 0.00, 0.00, 0.00
USER TTY LOGIN@ IDLE JCPU PCPU WHAT

--

--

DJ SUBSTANCE

twenty years professionally as a Network Engineer, more recently I have focused on red teaming mostly, but I am always up for learning and exchanging info