about summary refs log tree commit diff stats
path: root/linux/sysctl.html
diff options
context:
space:
mode:
authorSilvino <silvino@bk.ru>2021-02-25 23:22:17 +0000
committerSilvino <silvino@bk.ru>2021-02-25 23:22:17 +0000
commitd12b35a47b9a872ecb5e037f1c2b02e1ea8927fb (patch)
tree8fdac6dfc8cabb9f85a2db3a3bd628cfe44438cd /linux/sysctl.html
parent0a6b0fc9769daf0932cb207c3285baa31547b489 (diff)
parenta3628fc49db4d88ff3e4067268650710d1da3f6f (diff)
downloaddoc-d12b35a47b9a872ecb5e037f1c2b02e1ea8927fb.tar.gz
merge openbsd branch into develop
new directory layout
Diffstat (limited to 'linux/sysctl.html')
-rw-r--r--linux/sysctl.html177
1 files changed, 177 insertions, 0 deletions
diff --git a/linux/sysctl.html b/linux/sysctl.html
new file mode 100644
index 0000000..3b1d492
--- /dev/null
+++ b/linux/sysctl.html
@@ -0,0 +1,177 @@
+<!DOCTYPE html>
+<html dir="ltr" lang="en">
+    <head>
+        <meta charset='utf-8'>
+        <title>2.6.2. Sysctl</title>
+    </head>
+    <body>
+
+        <a href="index.html">Core OS Index</a>
+
+        <h1 id="sysctl">2.6.2. Sysctl</h1>
+
+        <p>Sysctl references
+        <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
+        <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
+        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>.</p>
+
+        <pre>
+        #
+        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
+        #
+
+        kernel.printk = 7 1 1 4
+
+        kernel.randomize_va_space = 2
+
+        # Shared Memory
+        #kernel.shmmax = 500000000
+        # Total allocated file handlers that can be allocated
+        # fs.file-nr=
+        vm.mmap_min_addr=65536
+
+        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+        kernel.pid_max = 65536
+
+        #Yama LSM by default
+        kernel.yama.ptrace_scope = 1
+
+        #
+        # Filesystem Protections
+        #
+
+        # Optimization for port usefor LBs
+        # Increase system file descriptor limit
+        fs.file-max = 65535
+
+        # Hide symbol addresses in /proc/kallsyms
+        kernel.kptr_restrict = 2
+
+        #
+        # Network Protections
+        #
+
+        net.core.bpf_jit_enable = 0
+
+        # Increase Linux auto tuning TCP buffer limits
+        # min, default, and max number of bytes to use
+        # set max to at least 4MB, or higher if you use very high BDP paths
+        # Tcp Windows etc
+        net.core.rmem_max = 8388608
+        net.core.wmem_max = 8388608
+        net.core.netdev_max_backlog = 5000
+        net.ipv4.tcp_window_scaling = 1
+
+        #A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
+        net.ipv4.tcp_sack = 0
+
+        # Both ports linux-blob and linux-libre don't build with ipv6
+        # Disable ipv6
+        net.ipv6.conf.all.disable_ipv6 = 1
+        net.ipv6.conf.default.disable_ipv6 = 1
+        net.ipv6.conf.lo.disable_ipv6 = 1
+
+        # Tuen IPv6
+        #net.ipv6.conf.default.router_solicitations = 0
+        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
+        #net.ipv6.conf.default.accept_ra_pinfo = 0
+        #net.ipv6.conf.default.accept_ra_defrtr = 0
+        #net.ipv6.conf.default.autoconf = 0
+        #net.ipv6.conf.default.dad_transmits = 0
+        #net.ipv6.conf.default.max_addresses = 0
+
+        # Avoid a smurf attack, ping scanning
+        net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+        # Turn on protection for bad icmp error messages
+        net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+        # Turn on syncookies for SYN flood attack protection
+        net.ipv4.tcp_syncookies = 1
+
+        ## protect against tcp time-wait assassination hazards
+        ## drop RST packets for sockets in the time-wait state
+        ## (not widely supported outside of linux, but conforms to RFC)
+        net.ipv4.tcp_rfc1337 = 1
+
+        ## tcp timestamps
+        ## + protect against wrapping sequence numbers (at gigabit speeds)
+        ## + round trip time calculation implemented in TCP
+        ## - causes extra overhead and allows uptime detection by scanners like nmap
+        ## enable @ gigabit speeds
+        net.ipv4.tcp_timestamps = 0
+        #net.ipv4.tcp_timestamps = 1
+
+        # Turn on and log spoofed, source routed, and redirect packets
+        net.ipv4.conf.all.log_martians = 1
+        net.ipv4.conf.default.log_martians = 1
+
+        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
+        net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+        ## sets the kernels reverse path filtering mechanism to value 1(on)
+        ## will do source validation of the packet's recieved from all the interfaces on the machine
+        ## protects from attackers that are using ip spoofing methods to do harm
+        net.ipv4.conf.all.rp_filter = 1
+        net.ipv4.conf.default.rp_filter = 1
+        #net.ipv6.conf.default.rp_filter = 1
+        #net.ipv6.conf.all.rp_filter = 1
+
+
+        # Make sure no one can alter the routing tables
+        # Act as a router, necessary for Access Point
+        net.ipv4.conf.all.accept_redirects = 0
+        net.ipv4.conf.default.accept_redirects = 0
+        net.ipv4.conf.all.secure_redirects = 0
+        net.ipv4.conf.default.secure_redirects = 0
+        # No source routed packets here
+        # Discard packets with source routes, ip spoofing
+        net.ipv4.conf.all.accept_source_route = 0
+        net.ipv4.conf.default.accept_source_route = 0
+
+
+        net.ipv4.conf.all.send_redirects = 0
+        net.ipv4.conf.default.send_redirects = 0
+
+        net.ipv4.ip_forward = 0
+
+        # Increase system IP port limits
+        net.ipv4.ip_local_port_range = 2000 65000
+
+        # Increase TCP max buffer size setable using setsockopt()
+        net.ipv4.tcp_rmem = 4096 87380 8388608
+        net.ipv4.tcp_wmem = 4096 87380 8388608
+
+        # Disable proxy_arp
+        net.ipv4.conf.default.proxy_arp = 0
+        net.ipv4.conf.all.proxy_arp = 0
+
+        # Disable bootp_relay
+        net.ipv4.conf.default.bootp_relay = 0
+        net.ipv4.conf.all.bootp_relay = 0
+
+        # Decrease TCP fin timeout
+        net.ipv4.tcp_fin_timeout = 30
+        # Decrease TCP keep alive time
+        net.ipv4.tcp_keepalive_time = 1800
+        # Sen SynAck retries to 3
+        net.ipv4.tcp_synack_retries = 3
+
+        # End of file
+        </pre>
+
+        <p>Reload sysctl settings;</p>
+
+        <pre>
+        # sysctl --system
+        </pre>
+
+        <a href="index.html">Core OS Index</a>
+        <p>This is part of the Tribu System Documentation.
+        Copyright (C) 2020
+        Tribu Team.
+        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
+        for copying conditions.</p>
+
+    </body>
+</html>