├── CNAME ├── LICENSE ├── README.md ├── _config.yml ├── install.sh ├── sshd.conf └── sysctl.conf /CNAME: -------------------------------------------------------------------------------- 1 | condu.ro -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 conduro 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Conduro Ubuntu 20.04 2 | Linux is well-known for being one of the most secure operating systems available. But that doesn't mean you can count on it to be as secure as possible right out of the box. Conduro (_Hardening in Latin_) will automate this process to ensure your platform is secure. 3 | 4 | > ⚠ We recommend to not execute this script on servers with existing firewall configurations. 5 | 6 | # Getting Started 7 | This script is designed to be executed on a freshly installed **Ubuntu Server 20.04** server. 8 | 9 | ```bash 10 | wget -O ./install.sh https://condu.ro/install.sh && chmod +x ./install.sh && sudo ./install.sh 11 | ``` 12 | ![](https://i.imgur.com/PXK7Ctk.gif) 13 | 14 | # What does it do? 15 | The purpose of Conduro is to optimize and secure your system to run web applications. It does this by disabling unnecessary services, bootstrapping your firewall, secure your system settings and other things. Continue reading if you want to know exactly what's being executed. 16 | 17 | #### update dependencies 18 | ```bash 19 | apt-get install wget sed git -y 20 | ``` 21 | 22 | #### update system 23 | Keeping the system updated is vital before starting anything on your system. This will prevent people to use known vulnerabilities to enter in your system. 24 | ```bash 25 | apt-get update -y && apt-get full-upgrade -y 26 | ``` 27 | 28 | #### update golang **optional** 29 | ```bash 30 | rm -rf /usr/local/go 31 | wget -q -c https://dl.google.com/go/$(curl -s https://golang.org/VERSION?m=text).linux-amd64.tar.gz -O go.tar.gz 32 | tar -C /usr/local -xzf go.tar.gz 33 | echo "export GOROOT=/usr/local/go" >> /etc/profile 34 | echo "export PATH=/usr/local/go/bin:$PATH" >> /etc/profile 35 | source /etc/profile 36 | rm go.tar.gz 37 | ``` 38 | 39 | #### update nameservers 40 | We change the default nameservers to cloudflare because https://www.dnsperf.com/#!dns-resolvers 41 | ```bash 42 | truncate -s0 /etc/resolv.conf 43 | echo "nameserver 1.1.1.1" | sudo tee -a /etc/resolv.conf 44 | echo "nameserver 1.0.0.1" | sudo tee -a /etc/resolv.conf 45 | ``` 46 | #### update ntp servers 47 | ```bash 48 | truncate -s0 /etc/systemd/timesyncd.conf 49 | echo "[Time]" | sudo tee -a /etc/systemd/timesyncd.conf 50 | echo "NTP=time.cloudflare.com" | sudo tee -a /etc/systemd/timesyncd.conf 51 | echo "FallbackNTP=ntp.ubuntu.com" | sudo tee -a /etc/systemd/timesyncd.conf 52 | ``` 53 | 54 | #### update sysctl.conf 55 | ```bash 56 | wget -q -c https://raw.githubusercontent.com/conduro/ubuntu/main/sysctl.conf -O /etc/sysctl.conf 57 | ``` 58 | ```conf 59 | # IP Spoofing protection 60 | net.ipv4.conf.all.rp_filter = 1 61 | net.ipv4.conf.default.rp_filter = 1 62 | 63 | # Ignore ICMP broadcast requests 64 | net.ipv4.icmp_echo_ignore_broadcasts = 1 65 | 66 | # Disable source packet routing 67 | net.ipv4.conf.all.accept_source_route = 0 68 | net.ipv6.conf.all.accept_source_route = 0 69 | net.ipv4.conf.default.accept_source_route = 0 70 | net.ipv6.conf.default.accept_source_route = 0 71 | 72 | # Ignore send redirects 73 | net.ipv4.conf.all.send_redirects = 0 74 | net.ipv4.conf.default.send_redirects = 0 75 | 76 | # Block SYN attacks 77 | net.ipv4.tcp_syncookies = 1 78 | net.ipv4.tcp_max_syn_backlog = 2048 79 | net.ipv4.tcp_synack_retries = 2 80 | net.ipv4.tcp_syn_retries = 5 81 | 82 | # Log Martians 83 | net.ipv4.conf.all.log_martians = 1 84 | net.ipv4.icmp_ignore_bogus_error_responses = 1 85 | 86 | # Ignore ICMP redirects 87 | net.ipv4.conf.all.accept_redirects = 0 88 | net.ipv6.conf.all.accept_redirects = 0 89 | net.ipv4.conf.default.accept_redirects = 0 90 | net.ipv6.conf.default.accept_redirects = 0 91 | 92 | # Ignore Directed pings 93 | net.ipv4.icmp_echo_ignore_all = 1 94 | 95 | # Disable IPv6 96 | net.ipv6.conf.all.disable_ipv6 = 1 97 | net.ipv6.conf.default.disable_ipv6 = 1 98 | net.ipv6.conf.lo.disable_ipv6 = 1 99 | 100 | # Hide kernel pointers 101 | kernel.kptr_restrict = 2 102 | 103 | # Enable panic on OOM 104 | vm.panic_on_oom = 1 105 | 106 | # Reboot kernel ten seconds after OOM 107 | kernel.panic = 10 108 | ``` 109 | 110 | #### update sshd_config 111 | ```bash 112 | wget -q -c https://raw.githubusercontent.com/conduro/ubuntu/main/sshd.conf -O /etc/ssh/sshd_config 113 | ``` 114 | ```conf 115 | # To disable tunneled clear text passwords, change to no here! 116 | PasswordAuthentication yes 117 | 118 | # Depending on your 2FA option, you may need to enable some of these options, but they should be disabled by default 119 | ChallengeResponseAuthentication no 120 | PasswordAuthentication no 121 | 122 | # Allow client to pass locale environment variables 123 | AcceptEnv LANG LC_* 124 | 125 | # Disable connection multiplexing which can be used to bypass authentication 126 | MaxSessions 1 127 | 128 | # Block client 10 minutes after 3 failed login attempts 129 | MaxAuthTries 3 130 | LoginGraceTime 10 131 | 132 | # Do not allow empty passwords 133 | PermitEmptyPasswords no 134 | 135 | # Enable PAM authentication 136 | UsePAM yes 137 | 138 | # Disable Kerberos based authentication 139 | KerberosAuthentication no 140 | KerberosGetAFSToken no 141 | KerberosOrLocalPasswd no 142 | KerberosTicketCleanup yes 143 | GSSAPIAuthentication no 144 | GSSAPICleanupCredentials yes 145 | 146 | # Disable user environment forwarding 147 | X11Forwarding no 148 | AllowTcpForwarding no 149 | AllowAgentForwarding no 150 | PermitUserRC no 151 | PermitUserEnvironment no 152 | 153 | # We want to log all activity 154 | LogLevel INFO 155 | SyslogFacility AUTHPRIV 156 | 157 | # What messages do you want to present your users when they log in? 158 | Banner none 159 | PrintMotd no 160 | PrintLastLog yes 161 | 162 | # override default of no subsystems 163 | Subsystem sftp /usr/lib/openssh/sftp-server 164 | ``` 165 | 166 | 167 | #### disable system logging 168 | ```bash 169 | systemctl stop systemd-journald.service 170 | systemctl disable systemd-journald.service 171 | systemctl mask systemd-journald.service 172 | 173 | systemctl stop rsyslog.service 174 | systemctl disable rsyslog.service 175 | systemctl mask rsyslog.service 176 | ``` 177 | 178 | 179 | #### configure firewall 180 | ```bash 181 | ufw disable 182 | echo "y" | sudo ufw reset 183 | ufw logging off 184 | ufw default deny incoming 185 | ufw default allow outgoing 186 | ufw allow 80/tcp 187 | ufw allow 443/tcp 188 | 189 | # optional prompt to change ssh port 190 | ufw allow ${prompt}/tcp 191 | sed -i "/Port /Id" /etc/ssh/sshd_config 192 | echo "Port ${prompt}" | sudo tee -a /etc/ssh/sshd_config 193 | # defaults to port 22 194 | ufw allow 22/tcp 195 | 196 | sed -i "/ipv6=/Id" /etc/default/ufw 197 | echo "IPV6=no" | sudo tee -a /etc/default/ufw 198 | 199 | sed -i "/GRUB_CMDLINE_LINUX_DEFAULT=/Id" /etc/default/grub 200 | echo "GRUB_CMDLINE_LINUX_DEFAULT=\"ipv6.disable=1 quiet splash\"" | sudo tee -a /etc/default/grub 201 | ``` 202 | 203 | #### free disk space 204 | ```bash 205 | find /var/log -type f -delete 206 | rm -rf /usr/share/man/* 207 | apt-get autoremove -y 208 | apt-get autoclean -y 209 | ``` 210 | 211 | #### reload system 212 | ```bash 213 | sysctl -p 214 | update-grub2 215 | systemctl restart systemd-timesyncd 216 | ufw --force enable 217 | service ssh restart 218 | ``` 219 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-hacker -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # echo -n "Is this a good question (y/n)? " 4 | # read answer 5 | # printf "${answer}" 6 | 7 | 8 | # color codes 9 | RESTORE='\033[0m' 10 | BLACK='\033[00;30m' 11 | RED='\033[00;31m' 12 | GREEN='\033[00;32m' 13 | YELLOW='\033[00;33m' 14 | BLUE='\033[00;34m' 15 | PURPLE='\033[00;35m' 16 | CYAN='\033[00;36m' 17 | LIGHTGRAY='\033[00;37m' 18 | LBLACK='\033[01;30m' 19 | LRED='\033[01;31m' 20 | LGREEN='\033[01;32m' 21 | LYELLOW='\033[01;33m' 22 | LBLUE='\033[01;34m' 23 | LPURPLE='\033[01;35m' 24 | LCYAN='\033[01;36m' 25 | WHITE='\033[01;37m' 26 | OVERWRITE='\e[1A\e[K' 27 | 28 | # _header colorize the given argument with spacing 29 | function _task { 30 | # if _task is called while a task was set, complete the previous 31 | if [[ $TASK != "" ]]; then 32 | printf "${OVERWRITE}${LGREEN} [✓] ${LGREEN}${TASK}\n" 33 | fi 34 | # set new task title and print 35 | TASK=$1 36 | printf "${LBLACK} [ ] ${TASK} \n${LRED}" 37 | } 38 | 39 | # _cmd performs commands with error checking 40 | function _cmd { 41 | # empty conduro.log 42 | > conduro.log 43 | # hide stdout, on error we print and exit 44 | if eval "$1" 1> /dev/null 2> conduro.log; then 45 | return 0 # success 46 | fi 47 | # read error from log and add spacing 48 | printf "${OVERWRITE}${LRED} [X] ${TASK}${LRED}\n" 49 | while read line; do 50 | printf " ${line}\n" 51 | done < conduro.log 52 | printf "\n" 53 | # remove log file 54 | rm conduro.log 55 | # exit installation 56 | exit 1 57 | } 58 | 59 | clear 60 | 61 | # print logo + information 62 | printf "${YELLOW} 63 | ▄▄· ▐ ▄ ·▄▄▄▄ ▄• ▄▌▄▄▄ 64 | ▐█ ▌▪▪ •█▌▐███▪ ██ █▪██▌▀▄ █·▪ 65 | ██ ▄▄ ▄█▀▄ ▐█▐▐▌▐█· ▐█▌█▌▐█▌▐▀▀▄ ▄█▀▄ 66 | ▐███▌▐█▌.▐▌██▐█▌██. ██ ▐█▄█▌▐█•█▌▐█▌.▐▌ 67 | ·▀▀▀ ▀█▄▀▪▀▀ █▪▀▀▀▀▀• ▀▀▀ .▀ ▀ ▀█▄▀▪ 68 | ${LBLACK}Hardening ${YELLOW}Ubuntu 20.04 ${LBLACK}https://condu.ro 69 | 70 | " 71 | 72 | # script must be run as root 73 | if [[ $(id -u) -ne 0 ]] ; then printf "\n${LRED} Please run as root${RESTORE}\n\n" ; exit 1 ; fi 74 | 75 | # dependencies 76 | _task "update dependencies" 77 | _cmd 'apt-get install wget sed git -y' 78 | 79 | # description 80 | _task "update system" 81 | _cmd 'apt-get update -y && apt-get full-upgrade -y' 82 | 83 | # finish last task 84 | printf "${OVERWRITE}${LGREEN} [✓] ${LGREEN}${TASK}\n" 85 | 86 | # description 87 | printf " ${YELLOW}Do you want to install Go? [Y/n]: ${RESTORE}" 88 | read prompt && printf "${OVERWRITE}" && if [[ $prompt == "y" || $prompt == "Y" ]]; then 89 | _task "update golang" 90 | _cmd 'rm -rf /usr/local/go' 91 | _cmd 'wget --timeout=5 --tries=2 --quiet -c https://dl.google.com/go/$(curl -s https://golang.org/VERSION?m=text).linux-amd64.tar.gz -O go.tar.gz' 92 | _cmd 'tar -C /usr/local -xzf go.tar.gz' 93 | _cmd 'echo "export GOROOT=/usr/local/go" >> /etc/profile' 94 | _cmd 'echo "export PATH=/usr/local/go/bin:$PATH" >> /etc/profile' 95 | _cmd 'source /etc/profile' 96 | _cmd 'rm go.tar.gz' 97 | fi 98 | 99 | # description 100 | _task "update nameservers" 101 | _cmd 'truncate -s0 /etc/resolv.conf' 102 | _cmd 'echo "nameserver 1.1.1.1" | sudo tee -a /etc/resolv.conf' 103 | _cmd 'echo "nameserver 1.0.0.1" | sudo tee -a /etc/resolv.conf' 104 | 105 | # description 106 | _task "update ntp servers" 107 | _cmd 'truncate -s0 /etc/systemd/timesyncd.conf' 108 | _cmd 'echo "[Time]" | sudo tee -a /etc/systemd/timesyncd.conf' 109 | _cmd 'echo "NTP=time.cloudflare.com" | sudo tee -a /etc/systemd/timesyncd.conf' 110 | _cmd 'echo "FallbackNTP=ntp.ubuntu.com" | sudo tee -a /etc/systemd/timesyncd.conf' 111 | 112 | # description 113 | _task "update sysctl.conf" 114 | _cmd 'wget --timeout=5 --tries=2 --quiet -c https://raw.githubusercontent.com/conduro/ubuntu/main/sysctl.conf -O /etc/sysctl.conf' 115 | 116 | # description 117 | _task "update sshd_config" 118 | _cmd 'wget --timeout=5 --tries=2 --quiet -c https://raw.githubusercontent.com/conduro/ubuntu/main/sshd.conf -O /etc/ssh/sshd_config' 119 | 120 | # description 121 | _task "disable system logging" 122 | _cmd 'systemctl stop systemd-journald.service' 123 | _cmd 'systemctl disable systemd-journald.service' 124 | _cmd 'systemctl mask systemd-journald.service' 125 | 126 | _cmd 'systemctl stop rsyslog.service' 127 | _cmd 'systemctl disable rsyslog.service' 128 | _cmd 'systemctl mask rsyslog.service' 129 | 130 | # description 131 | _task "disable snapd" 132 | _cmd 'systemctl stop snapd.service' 133 | _cmd 'systemctl disable snapd.service' 134 | _cmd 'systemctl mask snapd.service' 135 | 136 | # firewall 137 | _task "configure firewall" 138 | _cmd 'ufw disable' 139 | _cmd 'echo "y" | sudo ufw reset' 140 | _cmd 'ufw logging off' 141 | _cmd 'ufw default deny incoming' 142 | _cmd 'ufw default allow outgoing' 143 | _cmd 'ufw allow 80/tcp comment "http"' 144 | _cmd 'ufw allow 443/tcp comment "https"' 145 | printf "${YELLOW} [?] specify ssh port [leave empty for 22]: ${RESTORE}" 146 | read prompt && printf "${OVERWRITE}" && if [[ $prompt != "" ]]; then 147 | _cmd 'ufw allow ${prompt}/tcp comment "ssh"' 148 | _cmd 'echo "Port ${prompt}" | sudo tee -a /etc/ssh/sshd_config' 149 | else 150 | _cmd 'ufw allow 22/tcp comment "ssh"' 151 | fi 152 | _cmd 'sed -i "/ipv6=/Id" /etc/default/ufw' 153 | _cmd 'echo "IPV6=no" | sudo tee -a /etc/default/ufw' 154 | _cmd 'sed -i "/GRUB_CMDLINE_LINUX_DEFAULT=/Id" /etc/default/grub' 155 | _cmd 'echo "GRUB_CMDLINE_LINUX_DEFAULT=\"ipv6.disable=1 quiet splash\"" | sudo tee -a /etc/default/grub' 156 | 157 | 158 | # description 159 | _task "free disk space" 160 | _cmd 'find /var/log -type f -delete' 161 | _cmd 'rm -rf /usr/share/man/*' 162 | _cmd 'apt-get autoremove -y' 163 | _cmd 'apt-get autoclean -y' 164 | # _cmd "purge" 'apt-get remove --purge -y' 165 | # _cmd "clean" 'apt-get clean && sudo apt-get --purge autoremove -y' 166 | 167 | # description 168 | _task "reload system" 169 | _cmd 'sysctl -p' 170 | _cmd 'update-grub2' 171 | _cmd 'systemctl restart systemd-timesyncd' 172 | _cmd 'ufw --force enable' 173 | _cmd 'service ssh restart' 174 | 175 | # finish last task 176 | printf "${OVERWRITE}${LGREEN} [✓] ${LGREEN}${TASK}\n" 177 | 178 | # remove conduro.log 179 | rm conduro.log 180 | 181 | # reboot 182 | printf "\n${YELLOW} Do you want to reboot [Y/n]? ${RESTORE}" 183 | read prompt && printf "${OVERWRITE}" && if [[ $prompt == "y" || $prompt == "Y" ]]; then 184 | reboot 185 | fi 186 | 187 | # exit 188 | exit 1 189 | 190 | # # description 191 | # _task "disable multipathd" 192 | # _cmd 'systemctl stop multipathd' 193 | # _cmd 'systemctl disable multipathd' 194 | # _cmd 'systemctl mask multipathd' 195 | 196 | # # description 197 | # _task "disable cron" 198 | # _cmd 'systemctl stop cron' 199 | # _cmd 'systemctl disable cron' 200 | # _cmd 'systemctl mask cron' 201 | 202 | # # description 203 | # _task "disable fwupd" 204 | # _cmd 'systemctl stop fwupd.service' 205 | # _cmd 'systemctl disable fwupd.service' 206 | # _cmd 'systemctl mask fwupd.service' 207 | 208 | 209 | # # description 210 | # _task "disable qemu-guest" 211 | # _cmd 'apt-get remove qemu-guest-agent -y' 212 | # _cmd 'apt-get remove --auto-remove qemu-guest-agent -y' 213 | # _cmd 'apt-get purge qemu-guest-agent -y' 214 | # _cmd 'apt-get purge --auto-remove qemu-guest-agent -y' 215 | 216 | # # description 217 | # _task "disable policykit" 218 | # _cmd 'apt-get remove policykit-1 -y' 219 | # _cmd 'apt-get autoremove policykit-1 -y' 220 | # _cmd 'apt-get purge policykit-1 -y' 221 | # _cmd 'apt-get autoremove --purge policykit-1 -y' 222 | 223 | # # description 224 | # _task "disable accountsservice" 225 | # _cmd 'service accounts-daemon stop' 226 | # _cmd 'apt remove accountsservice -y' 227 | 228 | -------------------------------------------------------------------------------- /sshd.conf: -------------------------------------------------------------------------------- 1 | # To disable tunneled clear text passwords, change to no here! 2 | PasswordAuthentication yes 3 | 4 | # Depending on your 2FA option, you may need to enable some of these options, but they should be disabled by default 5 | ChallengeResponseAuthentication no 6 | PasswordAuthentication no 7 | 8 | # Allow client to pass locale environment variables 9 | AcceptEnv LANG LC_* 10 | 11 | # Disable connection multiplexing which can be used to bypass authentication 12 | MaxSessions 1 13 | 14 | # Block client 10 minutes after 3 failed login attempts 15 | MaxAuthTries 3 16 | LoginGraceTime 10 17 | 18 | # Do not allow empty passwords 19 | PermitEmptyPasswords no 20 | 21 | # Enable PAM authentication 22 | UsePAM yes 23 | 24 | # Disable Kerberos based authentication 25 | KerberosAuthentication no 26 | KerberosGetAFSToken no 27 | KerberosOrLocalPasswd no 28 | KerberosTicketCleanup yes 29 | GSSAPIAuthentication no 30 | GSSAPICleanupCredentials yes 31 | 32 | # Disable user environment forwarding 33 | X11Forwarding no 34 | AllowTcpForwarding no 35 | AllowAgentForwarding no 36 | PermitUserRC no 37 | PermitUserEnvironment no 38 | 39 | # We want to log all activity 40 | LogLevel INFO 41 | SyslogFacility AUTHPRIV 42 | 43 | # What messages do you want to present your users when they log in? 44 | Banner none 45 | PrintMotd no 46 | PrintLastLog yes 47 | 48 | # override default of no subsystems 49 | Subsystem sftp /usr/lib/openssh/sftp-server -------------------------------------------------------------------------------- /sysctl.conf: -------------------------------------------------------------------------------- 1 | # IP Spoofing protection 2 | net.ipv4.conf.all.rp_filter = 1 3 | net.ipv4.conf.default.rp_filter = 1 4 | 5 | # Ignore ICMP broadcast requests 6 | net.ipv4.icmp_echo_ignore_broadcasts = 1 7 | 8 | # Disable source packet routing 9 | net.ipv4.conf.all.accept_source_route = 0 10 | net.ipv6.conf.all.accept_source_route = 0 11 | net.ipv4.conf.default.accept_source_route = 0 12 | net.ipv6.conf.default.accept_source_route = 0 13 | 14 | # Ignore send redirects 15 | net.ipv4.conf.all.send_redirects = 0 16 | net.ipv4.conf.default.send_redirects = 0 17 | 18 | # Block SYN attacks 19 | net.ipv4.tcp_syncookies = 1 20 | net.ipv4.tcp_max_syn_backlog = 2048 21 | net.ipv4.tcp_synack_retries = 2 22 | net.ipv4.tcp_syn_retries = 5 23 | 24 | # Log Martians 25 | net.ipv4.conf.all.log_martians = 1 26 | net.ipv4.icmp_ignore_bogus_error_responses = 1 27 | 28 | # Ignore ICMP redirects 29 | net.ipv4.conf.all.accept_redirects = 0 30 | net.ipv6.conf.all.accept_redirects = 0 31 | net.ipv4.conf.default.accept_redirects = 0 32 | net.ipv6.conf.default.accept_redirects = 0 33 | 34 | # Ignore Directed pings 35 | net.ipv4.icmp_echo_ignore_all = 1 36 | 37 | # Disable IPv6 38 | net.ipv6.conf.all.disable_ipv6 = 1 39 | net.ipv6.conf.default.disable_ipv6 = 1 40 | net.ipv6.conf.lo.disable_ipv6 = 1 41 | 42 | # Hide kernel pointers 43 | kernel.kptr_restrict = 2 44 | 45 | # Enable panic on OOM 46 | vm.panic_on_oom = 1 47 | 48 | # Reboot kernel ten seconds after OOM 49 | kernel.panic = 10 --------------------------------------------------------------------------------