From 93823eabd68d2b2e534b52b1358282f1121eb1fc Mon Sep 17 00:00:00 2001
From: Mikaela Suomalainen <mikaela+git@mikaela.info>
Date: Sat, 12 Jun 2021 21:52:39 +0300
Subject: [PATCH] sysctl.d: add 23-starts-unprivileged-ports.conf

Self-explanatory within comments. Link list notes to selves contributing
into this version:

* https://kernelnewbies.org/Linux_4.11
* https://stackoverflow.com/a/51439516
* https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux#comment90027734_51439516
* https://developer.apple.com/forums/thread/674179
* https://news.ycombinator.com/item?id=18302380
* https://security.stackexchange.com/q/242859
* https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux#comment90027734_51439516
---
 etc/sysctl.d/23-starts-unprivileged-ports.conf | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 etc/sysctl.d/23-starts-unprivileged-ports.conf

diff --git a/etc/sysctl.d/23-starts-unprivileged-ports.conf b/etc/sysctl.d/23-starts-unprivileged-ports.conf
new file mode 100644
index 00000000..044b417b
--- /dev/null
+++ b/etc/sysctl.d/23-starts-unprivileged-ports.conf
@@ -0,0 +1,6 @@
+# I mainly care about protecting 22/SSH, and don't see myself using ports
+# below 80 (or 70 if Gopher fans around me get me around to it), the 1024
+# unprivileged start is legacy that Windows and macOS have ended ages ago.
+# Linux 4.11 April 2017, also works for IPv6
+# https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux#comment90027734_51439516
+net.ipv4.ip_unprivileged_port_start=23