about summary refs log blame commit diff stats
path: root/core/conf/sysctl.conf
blob: 2a8723b0b19da51dd470c1cf4b326533263a6011 (plain) (tree)
1
2
3
4
5
6
7
8



                                                                          
                       
 
                             
 




                                                     
 


                                                                                  


                            
 






                                       
                                         
                        
 



                     
                           

                           
 








                                                                   


                                                                                                             
                                                             





                                      






                                              
 
                                     



























                                                                                  




                                                                                            

                                    
 
 
                                               
                                             



                                          



                                                 
 




                                        
 






                                                         













                                     
 
             
#
# /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
#

kernel.printk = 7 1 1 4

kernel.randomize_va_space = 2

# Shared Memory
#kernel.shmmax = 500000000
# Total allocated file handlers that can be allocated
# fs.file-nr=
vm.mmap_min_addr=65536

# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536

#Yama LSM by default
kernel.yama.ptrace_scope = 1

#
# Filesystem Protections
#

# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535

# Hide symbol addresses in /proc/kallsyms
kernel.kptr_restrict = 2

#
# Network Protections
#

net.core.bpf_jit_enable = 0
# harden all code
net.core.bpf_jit_harden = 2

# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1

#A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
net.ipv4.tcp_sack = 0

# Both ports linux-blob and linux-libre don't build with ipv6
# Disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 0

# Avoid a smurf attack, ping scanning
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1

## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1

## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_timestamps = 1

# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

## ignore echo broadcast requests to prevent being part of smurf attacks (default)
net.ipv4.icmp_echo_ignore_broadcasts = 1

## sets the kernels reverse path filtering mechanism to value 1(on)
## will do source validation of the packet's recieved from all the interfaces on the machine
## protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
#net.ipv6.conf.default.rp_filter = 1
#net.ipv6.conf.all.rp_filter = 1


# Make sure no one can alter the routing tables
# Act as a router, necessary for Access Point
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# No source routed packets here
# Discard packets with source routes, ip spoofing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0


net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

net.ipv4.ip_forward = 0

# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000

# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608

# Disable proxy_arp
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.proxy_arp = 0

# Disable bootp_relay
net.ipv4.conf.default.bootp_relay = 0
net.ipv4.conf.all.bootp_relay = 0

# Decrease TCP fin timeout
net.ipv4.tcp_fin_timeout = 30
# Decrease TCP keep alive time
net.ipv4.tcp_keepalive_time = 1800
# Sen SynAck retries to 3
net.ipv4.tcp_synack_retries = 3

# End of file