#!/bin/sh
# Kernel hardening base on article http://www.securityfocus.com/infocus/1711
# 12 Feb 2004 by farking

enable () { for file in $@; do echo 1 > $file; done }
disable () { for file in $@; do echo 0 > $file; done }

disable /proc/sys/net/ipv4/icmp_echo_ignore_all
enable /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
disable /proc/sys/net/ipv4/conf/*/accept_source_route
enable /proc/sys/net/ipv4/conf/*/rp_filter
disable /proc/sys/net/ipv4/conf/*/accept_redirects
disable /proc/sys/net/ipv4/conf/*/secure_redirects
disable /proc/sys/net/ipv4/conf/*/send_redirects
enable /proc/sys/net/ipv4/ip_forward
enable /proc/sys/net/ipv4/conf/*/log_martians
disable /proc/sys/net/ipv4/conf/*/proxy_arp
enable /proc/sys/net/ipv4/tcp_syncookies

echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 25 > /proc/sys/net/ipv4/ipfrag_time
echo 16384 > /proc/sys/net/ipv4/tcp_max_orphans
echo 99 > /proc/sys/net/ipv4/icmp_ratelimit
echo 6167 > /proc/sys/net/ipv4/icmp_ratemask

echo 105 > /proc/sys/net/ipv4/neigh/default/locktime
echo 105 > /proc/sys/net/ipv4/neigh/lo/locktime
echo 105 > /proc/sys/net/ipv4/neigh/eth0/locktime
echo 105 > /proc/sys/net/ipv4/neigh/eth1/locktime
echo 105 > /proc/sys/net/ipv4/neigh/eth2/locktime
echo 55 > /proc/sys/net/ipv4/neigh/default/gc_stale_time
echo 55 > /proc/sys/net/ipv4/neigh/lo/gc_stale_time
echo 55 > /proc/sys/net/ipv4/neigh/eth0/gc_stale_time
echo 55 > /proc/sys/net/ipv4/neigh/eth1/gc_stale_time
echo 55 > /proc/sys/net/ipv4/neigh/eth2/gc_stale_time