about summary refs log tree commit diff stats
path: root/linux/conf/sysctl.conf
diff options
context:
space:
mode:
Diffstat (limited to 'linux/conf/sysctl.conf')
-rw-r--r--linux/conf/sysctl.conf160
1 files changed, 160 insertions, 0 deletions
diff --git a/linux/conf/sysctl.conf b/linux/conf/sysctl.conf
new file mode 100644
index 0000000..7b14b46
--- /dev/null
+++ b/linux/conf/sysctl.conf
@@ -0,0 +1,160 @@
+#
+# /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
+#
+
+#KERN_EMERG     "0"     Emergency messages, system is about to crash or is unstable     pr_emerg
+#KERN_ALERT     "1"     Something bad happened and action must be taken immediately     pr_alert
+#KERN_CRIT      "2"     A critical condition occurred like a serious hardware/software failure  pr_crit
+#KERN_ERR       "3"     An error condition, often used by drivers to indicate difficulties with the hardware    pr_err
+#KERN_WARNING   "4"     A warning, meaning nothing serious by itself but might indicate problems        pr_warning
+#KERN_NOTICE    "5"     Nothing serious, but notably nevertheless. Often used to report security events.        pr_notice
+#KERN_INFO      "6"     Informational message e.g. startup information at driver initialization         pr_info
+#KERN_DEBUG     "7"     Debug messages
+# current | default | minimum | boot-time-default
+kernel.printk = 7 1 1 4
+
+# set to 0 when profiling with apparmor
+kernel.printk_ratelimit=0
+
+kernel.randomize_va_space = 2
+
+# Shared Memory
+#kernel.shmmax = 500000000
+# Total allocated file handlers that can be allocated
+# fs.file-nr=
+vm.mmap_min_addr=65536
+
+# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
+kernel.pid_max = 65536
+
+#Yama LSM by default
+kernel.yama.ptrace_scope = 1
+
+#
+# Filesystem Protections
+#
+
+# Optimization for port usefor LBs
+# Increase system file descriptor limit
+fs.file-max = 65535
+
+# Hide symbol addresses in /proc/kallsyms
+kernel.kptr_restrict = 2
+
+#
+# Network Protections
+#
+
+net.core.bpf_jit_enable = 0
+# harden all code
+net.core.bpf_jit_harden = 2
+
+# disable tunnels by default user space create
+# them as needed
+net.core.fb_tunnels_only_for_init_net = 1
+
+# Increase Linux auto tuning TCP buffer limits
+# min, default, and max number of bytes to use
+# set max to at least 4MB, or higher if you use very high BDP paths
+# Tcp Windows etc
+net.core.rmem_max = 8388608
+net.core.wmem_max = 8388608
+net.core.netdev_max_backlog = 5000
+net.ipv4.tcp_window_scaling = 1
+
+#A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
+net.ipv4.tcp_sack = 0
+
+# Both ports linux-blob and linux-libre don't build with ipv6
+# Disable ipv6
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1
+
+# Tuen IPv6
+net.ipv6.conf.default.router_solicitations = 0
+net.ipv6.conf.default.accept_ra_rtr_pref = 0
+net.ipv6.conf.default.accept_ra_pinfo = 0
+net.ipv6.conf.default.accept_ra_defrtr = 0
+net.ipv6.conf.default.autoconf = 0
+net.ipv6.conf.default.dad_transmits = 0
+net.ipv6.conf.default.max_addresses = 0
+
+# Avoid a smurf attack, ping scanning
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# Turn on protection for bad icmp error messages
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Turn on syncookies for SYN flood attack protection
+net.ipv4.tcp_syncookies = 1
+
+## protect against tcp time-wait assassination hazards
+## drop RST packets for sockets in the time-wait state
+## (not widely supported outside of linux, but conforms to RFC)
+net.ipv4.tcp_rfc1337 = 1
+
+## tcp timestamps
+## + protect against wrapping sequence numbers (at gigabit speeds)
+## + round trip time calculation implemented in TCP
+## - causes extra overhead and allows uptime detection by scanners like nmap
+## enable @ gigabit speeds
+net.ipv4.tcp_timestamps = 0
+#net.ipv4.tcp_timestamps = 1
+
+# Turn on and log spoofed, source routed, and redirect packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+## ignore echo broadcast requests to prevent being part of smurf attacks (default)
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+## sets the kernels reverse path filtering mechanism to value 1(on)
+## will do source validation of the packet's recieved from all the interfaces on the machine
+## protects from attackers that are using ip spoofing methods to do harm
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+#net.ipv6.conf.default.rp_filter = 1
+#net.ipv6.conf.all.rp_filter = 1
+
+
+# Make sure no one can alter the routing tables
+# Act as a router, necessary for Access Point
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+# No source routed packets here
+# Discard packets with source routes, ip spoofing
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+
+
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+
+net.ipv4.ip_forward = 0
+
+# Increase system IP port limits
+net.ipv4.ip_local_port_range = 2000 65000
+
+# Increase TCP max buffer size setable using setsockopt()
+net.ipv4.tcp_rmem = 4096 87380 8388608
+net.ipv4.tcp_wmem = 4096 87380 8388608
+
+# Disable proxy_arp
+net.ipv4.conf.default.proxy_arp = 0
+net.ipv4.conf.all.proxy_arp = 0
+
+# Disable bootp_relay
+net.ipv4.conf.default.bootp_relay = 0
+net.ipv4.conf.all.bootp_relay = 0
+
+# Decrease TCP fin timeout
+net.ipv4.tcp_fin_timeout = 30
+# Decrease TCP keep alive time
+net.ipv4.tcp_keepalive_time = 1800
+# Sen SynAck retries to 3
+net.ipv4.tcp_synack_retries = 3
+
+# End of file
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-12-15 16:56:22 +0000