Examples of Deep Custom Security Configurations
Below are examples of strong, individualized configurations for SELinux, nftables, sysctl and auditd.
These are not universal templates, but references illustrating advanced system hardening.
SELinux config:
terminal
root@user:/home/user# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 root@user:/home/user# sestatus -v SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: default Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Init context: system_u:system_r:init_t:s0 /sbin/agetty system_u:system_r:getty_t:s0 File contexts: Controlling terminal: unconfined_u:object_r:user_devpts_t:s0 /etc/passwd system_u:object_r:etc_t:s0 /etc/shadow system_u:object_r:unlabeled_t:s0 /bin/bash system_u:object_r:shell_exec_t:s0 /bin/login system_u:object_r:login_exec_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /sbin/agetty system_u:object_r:getty_exec_t:s0 /sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0 /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0
nftables config:
bash
flush ruleset
table inet filter {
# = Main chain policy =
chain input {
type filter hook input priority 0;
policy drop;
# = Common rule set =
# π Allow loopback interface (internal system processes)
iif "lo" accept
# == π Allow established and related connections ==
ct state established,related accept
# == π Limiting new connections from one IP (anti-DDoS) ==
# == π Limit the rate of NEW connections per source IP (basic anti-DDoS protection) ==
# If you experience issues with slow or failed page loads in your browser,
# try increasing the limit, for example:
# ip saddr 0.0.0.0/0 ct state new limit rate 50/second burst 100 packets accept
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "π₯ BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop
# == π‘οΈ Ping rate limiting ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "π₯ BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop
# == π« Blocking SSDP and mDNS (local broadcast discovery protocols) ==
ip daddr 239.255.255.250 udp dport 1900 drop # β SSDP (UPnP/device discovery)
ip daddr 224.0.0.251 udp dport 5353 drop # β mDNS (Bonjour, Avahi)
# == π Blocking NetBIOS and LLMNR (Windows/systemd internal LAN protocols) ==
udp dport 137 drop # β NetBIOS Name Service (Windows network names)
udp dport 138 drop # β NetBIOS Datagram Service (LAN name discovery)
udp dport 5355 drop # β LLMNR (Link-Local Multicast Name Resolution)
# = Set of blocked IP addresses and ranges =
# == 𧱠Blocking known botnets and proxy networks ==
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} log prefix "π₯ BAN: known bots " flags all
ip saddr {
45.9.20.0/24,
89.248.160.0/19,
185.220.100.0/22,
198.96.155.0/24,
185.107.56.0/24,
185.129.62.0/23
} drop
# == π« Blocking strange TCP flags (XMAS, NULL scans and others) ==
tcp flags & (fin|syn|rst|psh|ack|urg) == 0 drop # NULL scan
tcp flags & (fin|psh|urg) == (fin|psh|urg) drop # XMAS scan
tcp flags & (fin|syn) == (fin|syn) drop # SYN-ACK scan
tcp flags & (syn|rst|fin) == (syn|rst|fin) drop # Xmas scan
tcp flags & (syn|fin|rst|psh|ack) == (syn|rst|fin|ack) drop # Xmas scan
# == π« Blocking fragmented packets β commonly used in filter evasion ==
ip frag-off & 0x1fff != 0 drop
# == π Blocking spoofed IP packets ==
ip saddr 127.0.0.0/8 drop # localhost
ip saddr 10.0.0.0/8 drop # private network
ip saddr 172.16.0.0/12 drop # private network
ip saddr 192.168.0.0/16 drop # private network
ip saddr 169.254.0.0/16 drop # APIPA
ip saddr 0.0.0.0/8 drop # invalid address
ip saddr 224.0.0.0/4 drop # multicast
ip saddr 240.0.0.0/5 drop # reserved
}
# = Main chain policy =
chain forward {
type filter hook forward priority 0;
policy accept;
# = Blocking various types of attacks =
# Required in chain forward only if Docker or Oracle VirtualBox is present.
# If needed β uncomment.
# == π Limiting new connections from one IP (anti-DDoS) ==
# ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
# ip saddr 0.0.0.0/0 ct state new log prefix "π₯ BAN: too many conn " flags all
# ip saddr 0.0.0.0/0 ct state new drop
# == π‘οΈ Ping rate limiting ==
# ip protocol icmp icmp type echo-request limit rate 1/second accept
# ip protocol icmp icmp type echo-request log prefix "π₯ BAN: ICMP flood " flags all
# ip protocol icmp icmp type echo-request drop
# = Allowing required TCP/UDP ports and ranges =
# == Allow TCP ports required for application operation ==
tcp dport {
53, # DNS β needed for domain name resolution
80, # HTTP β web traffic, updates and resource loading
443, # HTTPS β secure web traffic, VPN, browser
12043, # Custom 3D Application β specific client port
13000-13050 # Custom 3D Application β dynamic client port range
} accept
# == Allow UDP ports required for application operation ==
udp dport {
53, # DNS β needed for domain name resolution
443, # HTTPS via QUIC/HTTP3, browser protocols
3478, # STUN/TURN β WebRTC and video calls
3479-3481 # STUN/TURN β WebRTC and video calls
} accept
# = Blocking dangerous and unnecessary TCP/UDP ports and ranges =
# These blocklists are intended for a DESKTOP / workstation.
# They block remote access, outdated services, proxies, DBs, IoT, and ports
# often used by malware, scanners, and C2 infrastructures.
#
# β If you use the system as a SERVER, enable IP forwarding,
# or run services with internal routing
# (Docker NAT/bridge, VirtualBox host-only/bridged, VPN clients),
# carefully review the blocked ports/ranges in the forward chain β
# these services may need extra ports.
# Adjust or comment out required items if necessary.
# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high risk) ===
22, # SSH β common brute-force target
23, # Telnet β outdated, no encryption
3389, # RDP β Windows remote desktop
5900, # VNC β remote access, frequent vulnerabilities
# === FTP / SMB / NetBIOS (unsafe file-sharing protocols) ===
21, # FTP β insecure protocol
137, # NetBIOS Name Service
138, # NetBIOS Datagram
139, # NetBIOS Session
445, # SMB/CIFS β common exploit target
# === Databases (NEVER expose to the Internet) ===
3306, # MySQL/MariaDB
1433, # MS SQL Server
1434, # MS SQL Browser
# === HTTP-alt/Proxy/Elasticsearch (exploited frequently) ===
8080, # HTTP proxy / web interfaces β often exposed accidentally
9200, # Elasticsearch API β full remote data access
# === UPnP/IoT (insecure by design) ===
1900, # SSDP / UPnP
# === Common for malware (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell
5555, # Android ADB / IoT botnets
9001, # Tor transport (used by malware)
1234, # Netcat / reverse connections
1337, # Common C2 port used by malware
# === β οΈ Scanner ports and potentially vulnerable services ===
1080, # SOCKS proxy β used to bypass filtering
3128, # Squid proxy β may be abused as open proxy
8000, # Alternative HTTP ports, dev servers
8888, # Web interfaces, proxies, dev tools
10000 # Webmin β remote admin panel, frequent attacks
} drop
# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP β network monitoring; abused by attackers
162 # SNMP Trap β also potentially vulnerable
} drop
# Attention! Blocking wide port ranges β be careful!
# Do not break system or application functionality!
# == TCP port ranges not used by a workstation during transit routing ==
# Blocked to prevent unwanted forwarding, hidden tunnels,
# NAT evasion, parasitic flows, and potential forward-path attacks.
tcp dport {
1024-2047, # System/legacy services; rarely needed in forward
2048-4095, # Proprietary daemons; NFS (2049) β check if used
4096-8191, # Old VPNs, some games, P2P; rarely needed on desktop
8192-12287, # Alternative HTTP/proxy, multimedia; test as needed
12288-16383, # Media/VoIP (TCP fallback); may break calls
16384-24575, # RTP/WebRTC (TCP fallback); block unless AV needed
24576-32767, # Dynamic ranges for games/VPN; may cause issues
32768-49151, # Registered/ephemeral; risky β may break NAT, Docker, VM
49152-65535 # High ephemeral; widely used by modern apps
} drop
# == π« Blocking UDP ports β high and dynamic ranges ==
udp dport {
1024-9999, # low/mid ephemeral ports; used by trojans, P2P, games, VPN
10000-65535 # high ephemeral; used by dynamic apps, VPN, Docker
} drop
# = π·οΈ Suspicious IPs β large ranges often used by botnets, spam nets, and scanners =
ip saddr {
185.0.0.0/8, # abused hosting and proxy networks
37.0.0.0/8, # cheap VPS, frequent scanning sources
88.0.0.0/8, # common brute-force and scanner range
77.0.0.0/8, # TOR/proxy nodes
91.0.0.0/8 # botnets and βgrey-zoneβ hosting
} drop
}
chain output {
# = Main chain policy =
type filter hook output priority 0;
policy accept;
# = Blocking various types of attacks =
# == π Limiting new connections from a single IP (anti-DDoS) ==
ip saddr 0.0.0.0/0 ct state new limit rate 25/second burst 50 packets accept
ip saddr 0.0.0.0/0 ct state new log prefix "π₯ BAN: too many conn " flags all
ip saddr 0.0.0.0/0 ct state new drop
# = ICMP protocol restrictions =
# == π‘οΈ Ping limitation ==
ip protocol icmp icmp type echo-request limit rate 1/second accept
ip protocol icmp icmp type echo-request log prefix "π₯ BAN: ICMP flood " flags all
ip protocol icmp icmp type echo-request drop
# == Critically important ICMP for network ==
ip protocol icmp icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
# == Important ICMPv6 for IPv6 ==
ip6 nexthdr icmpv6 icmpv6 type { 1, 2, 3, 4 } accept
ip6 nexthdr icmpv6 icmpv6 type { 135, 136 } accept # NS/NA
ip6 nexthdr icmpv6 icmpv6 type { 133, 134 } accept # RS/RA
# == Drop all other ICMP and ICMPv6 ==
ip protocol icmp drop # drop all other ICMP
ip6 nexthdr icmpv6 drop # drop all other ICMPv6
# = SCTP protocol blocking =
# 99.9% of desktop systems do not use SCTP at all
meta l4proto sctp drop
# = DCCP β Datagram Congestion Control Protocol blocking =
# Not used by any mainstream desktop applications
meta l4proto dccp drop
# = Allowing required TCP/UDP ports and ranges =
# == Allow TCP ports and ranges required for application functionality ==
tcp dport {
53, # DNS client. Required for Internet to work: domain name resolution (UDP/TCP).
80, # HTTP traffic to unencrypted websites; apps may use it for API/redirects.
443, # HTTPS. Main port for all encrypted web traffic β browsers, API, VPN, updates.
3306, # MySQL client. Needed if you connect to MySQL.
3478, # STUN/TURN WebRTC. Needed for audio/video/Discord.
3000, # Node.js dev servers. Needed for development.
3690, # SVN. If you work with an old repository.
4443, # Alternative HTTPS (some APIs). Also used by some VPN/clients.
12043, # Required for Custom 3D Application.
13000-13050 # Required for Custom 3D Application.
} accept
# == Allow UDP ports and ranges required for applications ==
udp dport {
443, # Required for fast and stable operation of modern websites
# (Google, YouTube, ChatGPT, Cloudflare)
13000-13050 # Required for Custom 3D Application.
} accept
# = Blocking potentially dangerous / unnecessary TCP/UDP ports =
# These blocks are intended for a DESKTOP / workstation.
# β If you use the system as a SERVER β
# adjust or comment out the required ports/ranges as needed.
# == Blocking various suspicious TCP ports ==
tcp dport {
# === Remote access (high-risk) ===
22, # SSH β target of brute-force attacks.
23, # Telnet β outdated, unencrypted.
3389, # RDP β Windows remote access.
5900, # VNC β remote access, often vulnerable.
# === FTP / SMB / NetBIOS (dangerous file-sharing services) ===
21, # FTP β insecure protocol.
137, # NetBIOS Name Service.
138, # NetBIOS Datagram.
139, # NetBIOS Session.
445, # SMB/CIFS β frequent exploitation target.
# === Databases (NEVER open to the Internet) ===
3306, # MySQL/MariaDB.
1433, # MS SQL Server.
1434, # MS SQL Browser.
# === HTTP-alt/Proxy/Elasticsearch (dangerous, often attacked) ===
8080, # HTTP proxy / web interfaces β often exposed test interfaces.
9200, # Elasticsearch API β full remote access to data.
# === UPnP/IoT (vulnerable by design) ===
1900, # SSDP / UPnP.
# === Common malware ports (RAT, C2, reverse shells) ===
4444, # Metasploit reverse shell.
5555, # Android ADB / IoT botnets.
9001, # Tor transport (used by malware).
1234, # Netcat / reverse connections.
1337, # Common C2 malware port.
# === β οΈ Ports of scanners and potentially vulnerable services ===
1080, # SOCKS proxy β often abused for bypassing filters.
3128, # Squid HTTP proxy β can be used as open proxy.
8000, # Alternative HTTP ports, web services β potentially vulnerable.
8888, # Alternative web interfaces β test and proxy ports.
10000 # Webmin β web admin panel, target of attacks.
} drop
# == Blocking various suspicious UDP ports ==
udp dport {
161, # SNMP β network monitoring; can be abused by attackers.
162 # SNMP Trap β same, potential vulnerability.
} drop
# Warning! β οΈ Be careful blocking wide port ranges! β οΈ
# Do not break system or application functionality!
# If you need a range β uncomment.
# If you donβt β comment out.
# == Blocking βdangerousβ and desktop-unnecessary TCP port ranges ==
tcp dport {
1-1023, # π Privileged ports.
1024-2047, # r-commands (rlogin, rsh, rexec), old RPC, NFS, legacy daemons.
2048-3071, # Rare proprietary protocols and middleware.
3072-4999, # Mostly ports of legacy, server, corporate apps;
# rarely needed on workstations.
5000-5999, # Alternative services, old P2P/admin ports, rarely used on desktops.
7000-7999, # Alternative/test ports, often used by trojans.
9000-9999, # Web services, proxies, possible backdoor ports.
10000-19998, # Dynamic/high service ports; may be required by some apps like Custom 3D Application,
# but not needed by most desktop services.
19999-32767 # Old ephemeral port range; used by P2P, games, some VPNs,
# but system services rarely use them.
} drop
# == Blocking βdangerousβ and desktop-unnecessary UDP port ranges ==
udp dport {
1024-2047, # Old UNIX services, RPC, NFS, r-commands, legacy daemons.
# Usually safe to block.
2048-4095, # Rarely used standard ports, proprietary services.
# Usually safe to block.
4096-8191, # VPN, games, P2P, WebRTC, VoIP of some clients.
# Can block, but cautiously: may affect VPN/apps.
8192-12287, # QUIC/HTTP3, proxies, multimedia protocols.
# Might cause side effects; better test first.
12288-16383, # Old RTP/VoIP ranges and media streams.
# Can block, but might break video calls.
16384-24575, # Main RTP range (audio/video), WebRTC, VoIP.
# β Do not block if you need video calls/WebRTC/VPN.
24576-32767 # Dynamic ports for VPN, P2P, games, streaming data.
# β May break VPN or some apps.
} drop
# == π·οΈ Blocking suspicious IPs β
# large ranges often used by botnets, spam networks, and scanners ==
ip saddr {
185.0.0.0/8, # Abused hosting and proxy networks.
37.0.0.0/8, # Cheap VPS, scanning sources.
88.0.0.0/8, # Frequent brute-force and scanners.
77.0.0.0/8, # Massive TOR/proxy nodes.
91.0.0.0/8 # Botnets and βgreyβ hosting.
} drop
}
}sysctl config:
kernel parameters configuration
/etc/sysctl.d/99-protect.conf
bash
# 1 Ignore ICMP on interfaces net.ipv4.icmp_echo_ignore_all = 1 # 2 Do not respond to ICMP broadcast (against Smurf attacks) net.ipv4.icmp_echo_ignore_broadcasts = 1 # 3 Enable SYN backlog reduction net.ipv4.tcp_syncookies = 1 # 4 Disable source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # 5 Log packets with incorrect routing net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # 6 Disable ICMP Redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # 7 Disable packet forwarding net.ipv4.ip_forward = 0 # 8 Disable IPv6 support net.ipv4.conf.all.disable_ipv6 = 1 net.ipv4.conf.default.disable_ipv6 = 1 # 9 Prevent sending TCP segments with null windows net.ipv4.tcp_rfc1337 = 1 # 10 Disable ARP filtering for automatic routing net.ipv4.conf.all.arp_filter = 1 net.ipv4.conf.default.arp_filter = 1 # 11 Limit the maximum size of the incoming TCP window net.ipv4.tcp_rmem = 4096 87380 4194304 net.ipv4.tcp_wmem = 4096 65536 4194304 # 12 Drop packets with incorrect checksums net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1 net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1 # 13 Disable IPv6 forwarding net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 # 14 Limit the maximum number of SYN packet retries net.ipv4.tcp_synack_retries = 2 # 15 Increase routing cache lifetime net.ipv4.route.max_size = 32768
auditd rules config:
/etc/audit/rules.d/audit.rules
bash
## Flush rules -D ## Buffers -b 8192 --backlog_wait_time 60000 -f 1 ## Network audit -a always,exit -F arch=b64 -S connect -F success=1 -k network_connect -a always,exit -F arch=b64 -S accept4 -F success=1 -k network_accept -a always,exit -F arch=b32 -S connect -F success=1 -k network_connect -a always,exit -F arch=b32 -S accept4 -F success=1 -k network_accept ## Logging execve commands -a always,exit -F arch=b64 -S execve -F key=exec_log ## Audit logins and sessions -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session ## sudo / su -w /etc/sudoers -p wa -k sudo -w /etc/sudoers.d/ -p wa -k sudo -w /bin/su -p x -k su_cmd ## Account and configuration changes -w /etc/passwd -p wa -k identity -w /etc/group -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/hosts -p wa -k system_conf -w /etc/hostname -p wa -k system_conf -w /etc/resolv.conf -p wa -k system_conf -w /etc/issue -p wa -k system_conf -w /etc/network/ -p wa -k system_conf ## Time changes -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -F key=time_change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -F key=time_change ## Audit SSH connections and changes -w /etc/ssh/sshd_config -p wa -k ssh_config_change -w /var/log/auth.log -p wa -k ssh_login ## Audit usage of remote tools (e.g., SSH, netcat) -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/ssh -k ssh_process -a always,exit -F arch=b64 -S execve -F exe=/usr/bin/nc -k nc_process -a always,exit -F arch=b32 -S execve -F exe=/usr/bin/ssh -k ssh_process -a always,exit -F arch=b32 -S execve -F exe=/usr/bin/nc -k nc_process ## Audit privileged access -a always,exit -F arch=b64 -S setuid -S setgid -k privilege_escalation -a always,exit -F arch=b32 -S setuid -S setgid -k privilege_escalation -w /etc/sudoers -p wa -k sudoers_changes -w /etc/sudoers.d/ -p wa -k sudoers_changes -w /bin/sudo -p x -k sudo_command ## Monitor credential changes #-w /root/.ssh/ -p wa -k ssh_keys #-w /home/*/.ssh/ -p wa -k ssh_keys ## Audit use of remote network services -a always,exit -F arch=b64 -S socket -F success=1 -k socket_connect -a always,exit -F arch=b32 -S socket -F success=1 -k socket_connect # Log package installation and removal via dpkg -w /usr/bin/dpkg -p x -w /usr/sbin/apt-get -p x -w /usr/bin/apt -p x