about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorSilvino Silva <silvino@bk.ru>2016-09-13 00:01:40 +0100
committerSilvino Silva <silvino@bk.ru>2016-09-13 00:01:40 +0100
commit6c67f930189e84428fb973c56410881b34b8ef12 (patch)
tree059057b3200fe350caaa7dcb9e15c629606b5441
parent41d479c1a0f02d9d2370fb2869de885be58ba506 (diff)
downloaddoc-6c67f930189e84428fb973c56410881b34b8ef12.tar.gz
added core/conf/sysctl.conf
-rw-r--r--core/conf/sysctl.conf102
1 files changed, 102 insertions, 0 deletions
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
new file mode 100644
index 0000000..b74243b
--- /dev/null
+++ b/core/conf/sysctl.conf
@@ -0,0 +1,102 @@
+#
+# /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
+#
+
+kernel.printk = 1 4 1 7
+
+# Disable ipv6
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1
+
+# Tuen IPv6
+# net.ipv6.conf.default.router_solicitations = 0
+# net.ipv6.conf.default.accept_ra_rtr_pref = 0
+# net.ipv6.conf.default.accept_ra_pinfo = 0
+# net.ipv6.conf.default.accept_ra_defrtr = 0
+# net.ipv6.conf.default.autoconf = 0
+# net.ipv6.conf.default.dad_transmits = 0
+# net.ipv6.conf.default.max_addresses = 0
+
+# Avoid a smurf attack
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# Turn on protection for bad icmp error messages
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Turn on syncookies for SYN flood attack protection
+net.ipv4.tcp_syncookies = 1
+
+## protect against tcp time-wait assassination hazards
+## drop RST packets for sockets in the time-wait state
+## (not widely supported outside of linux, but conforms to RFC)
+net.ipv4.tcp_rfc1337 = 1
+
+## tcp timestamps
+## + protect against wrapping sequence numbers (at gigabit speeds)
+## + round trip time calculation implemented in TCP
+## - causes extra overhead and allows uptime detection by scanners like nmap
+## enable @ gigabit speeds
+net.ipv4.tcp_timestamps = 0
+#net.ipv4.tcp_timestamps = 1
+
+# Turn on and log spoofed, source routed, and redirect packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+## ignore echo broadcast requests to prevent being part of smurf attacks (default)
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# No source routed packets here
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+
+## sets the kernels reverse path filtering mechanism to value 1(on)
+## will do source validation of the packet's recieved from all the interfaces on the machine
+## protects from attackers that are using ip spoofing methods to do harm
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv6.conf.default.rp_filter = 1
+net.ipv6.conf.all.rp_filter = 1
+
+# Make sure no one can alter the routing tables
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+
+# Act as a router, necessary for Access Point
+net.ipv4.ip_forward = 1
+net.ipv4.conf.all.send_redirects = 1
+net.ipv4.conf.default.send_redirects = 1
+
+kernel.shmmax = 500000000
+# Turn on execshild
+kernel.exec-shield = 1
+kernel.randomize_va_space = 1
+
+# Optimization for port usefor LBs
+# Increase system file descriptor limit
+fs.file-max = 65535
+
+# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+kernel.pid_max = 65536
+
+# Increase system IP port limits
+net.ipv4.ip_local_port_range = 2000 65000
+
+# Increase TCP max buffer size setable using setsockopt()
+net.ipv4.tcp_rmem = 4096 87380 8388608
+net.ipv4.tcp_wmem = 4096 87380 8388608
+
+# Increase Linux auto tuning TCP buffer limits
+# min, default, and max number of bytes to use
+# set max to at least 4MB, or higher if you use very high BDP paths
+# Tcp Windows etc
+net.core.rmem_max = 8388608
+net.core.wmem_max = 8388608
+net.core.netdev_max_backlog = 5000
+net.ipv4.tcp_window_scaling = 1
+
+# End of file
+