diff options
Diffstat (limited to 'core/sysctl.html')
| -rw-r--r-- | core/sysctl.html | 177 |
1 files changed, 0 insertions, 177 deletions
diff --git a/core/sysctl.html b/core/sysctl.html deleted file mode 100644 index 3b1d492..0000000 --- a/core/sysctl.html +++ /dev/null @@ -1,177 +0,0 @@ -<!DOCTYPE html> -<html dir="ltr" lang="en"> - <head> - <meta charset='utf-8'> - <title>2.6.2. Sysctl</title> - </head> - <body> - - <a href="index.html">Core OS Index</a> - - <h1 id="sysctl">2.6.2. Sysctl</h1> - - <p>Sysctl references - <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>, - <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>, - <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>.</p> - - <pre> - # - # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) - # - - kernel.printk = 7 1 1 4 - - kernel.randomize_va_space = 2 - - # Shared Memory - #kernel.shmmax = 500000000 - # Total allocated file handlers that can be allocated - # fs.file-nr= - vm.mmap_min_addr=65536 - - # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 - kernel.pid_max = 65536 - - #Yama LSM by default - kernel.yama.ptrace_scope = 1 - - # - # Filesystem Protections - # - - # Optimization for port usefor LBs - # Increase system file descriptor limit - fs.file-max = 65535 - - # Hide symbol addresses in /proc/kallsyms - kernel.kptr_restrict = 2 - - # - # Network Protections - # - - net.core.bpf_jit_enable = 0 - - # Increase Linux auto tuning TCP buffer limits - # min, default, and max number of bytes to use - # set max to at least 4MB, or higher if you use very high BDP paths - # Tcp Windows etc - net.core.rmem_max = 8388608 - net.core.wmem_max = 8388608 - net.core.netdev_max_backlog = 5000 - net.ipv4.tcp_window_scaling = 1 - - #A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic. - net.ipv4.tcp_sack = 0 - - # Both ports linux-blob and linux-libre don't build with ipv6 - # Disable ipv6 - net.ipv6.conf.all.disable_ipv6 = 1 - net.ipv6.conf.default.disable_ipv6 = 1 - net.ipv6.conf.lo.disable_ipv6 = 1 - - # Tuen IPv6 - #net.ipv6.conf.default.router_solicitations = 0 - #net.ipv6.conf.default.accept_ra_rtr_pref = 0 - #net.ipv6.conf.default.accept_ra_pinfo = 0 - #net.ipv6.conf.default.accept_ra_defrtr = 0 - #net.ipv6.conf.default.autoconf = 0 - #net.ipv6.conf.default.dad_transmits = 0 - #net.ipv6.conf.default.max_addresses = 0 - - # Avoid a smurf attack, ping scanning - net.ipv4.icmp_echo_ignore_broadcasts = 1 - - # Turn on protection for bad icmp error messages - net.ipv4.icmp_ignore_bogus_error_responses = 1 - - # Turn on syncookies for SYN flood attack protection - net.ipv4.tcp_syncookies = 1 - - ## protect against tcp time-wait assassination hazards - ## drop RST packets for sockets in the time-wait state - ## (not widely supported outside of linux, but conforms to RFC) - net.ipv4.tcp_rfc1337 = 1 - - ## tcp timestamps - ## + protect against wrapping sequence numbers (at gigabit speeds) - ## + round trip time calculation implemented in TCP - ## - causes extra overhead and allows uptime detection by scanners like nmap - ## enable @ gigabit speeds - net.ipv4.tcp_timestamps = 0 - #net.ipv4.tcp_timestamps = 1 - - # Turn on and log spoofed, source routed, and redirect packets - net.ipv4.conf.all.log_martians = 1 - net.ipv4.conf.default.log_martians = 1 - - ## ignore echo broadcast requests to prevent being part of smurf attacks (default) - net.ipv4.icmp_echo_ignore_broadcasts = 1 - - ## sets the kernels reverse path filtering mechanism to value 1(on) - ## will do source validation of the packet's recieved from all the interfaces on the machine - ## protects from attackers that are using ip spoofing methods to do harm - net.ipv4.conf.all.rp_filter = 1 - net.ipv4.conf.default.rp_filter = 1 - #net.ipv6.conf.default.rp_filter = 1 - #net.ipv6.conf.all.rp_filter = 1 - - - # Make sure no one can alter the routing tables - # Act as a router, necessary for Access Point - net.ipv4.conf.all.accept_redirects = 0 - net.ipv4.conf.default.accept_redirects = 0 - net.ipv4.conf.all.secure_redirects = 0 - net.ipv4.conf.default.secure_redirects = 0 - # No source routed packets here - # Discard packets with source routes, ip spoofing - net.ipv4.conf.all.accept_source_route = 0 - net.ipv4.conf.default.accept_source_route = 0 - - - net.ipv4.conf.all.send_redirects = 0 - net.ipv4.conf.default.send_redirects = 0 - - net.ipv4.ip_forward = 0 - - # Increase system IP port limits - net.ipv4.ip_local_port_range = 2000 65000 - - # Increase TCP max buffer size setable using setsockopt() - net.ipv4.tcp_rmem = 4096 87380 8388608 - net.ipv4.tcp_wmem = 4096 87380 8388608 - - # Disable proxy_arp - net.ipv4.conf.default.proxy_arp = 0 - net.ipv4.conf.all.proxy_arp = 0 - - # Disable bootp_relay - net.ipv4.conf.default.bootp_relay = 0 - net.ipv4.conf.all.bootp_relay = 0 - - # Decrease TCP fin timeout - net.ipv4.tcp_fin_timeout = 30 - # Decrease TCP keep alive time - net.ipv4.tcp_keepalive_time = 1800 - # Sen SynAck retries to 3 - net.ipv4.tcp_synack_retries = 3 - - # End of file - </pre> - - <p>Reload sysctl settings;</p> - - <pre> - # sysctl --system - </pre> - - <a href="index.html">Core OS Index</a> - <p>This is part of the Tribu System Documentation. - Copyright (C) 2020 - Tribu Team. - See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> - for copying conditions.</p> - - </body> -</html> |