From 6c67f930189e84428fb973c56410881b34b8ef12 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Tue, 13 Sep 2016 00:01:40 +0100 Subject: added core/conf/sysctl.conf --- core/conf/sysctl.conf | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 core/conf/sysctl.conf (limited to 'core') diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf new file mode 100644 index 0000000..b74243b --- /dev/null +++ b/core/conf/sysctl.conf @@ -0,0 +1,102 @@ +# +# /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) +# + +kernel.printk = 1 4 1 7 + +# Disable ipv6 +net.ipv6.conf.all.disable_ipv6 = 1 +net.ipv6.conf.default.disable_ipv6 = 1 +net.ipv6.conf.lo.disable_ipv6 = 1 + +# Tuen IPv6 +# net.ipv6.conf.default.router_solicitations = 0 +# net.ipv6.conf.default.accept_ra_rtr_pref = 0 +# net.ipv6.conf.default.accept_ra_pinfo = 0 +# net.ipv6.conf.default.accept_ra_defrtr = 0 +# net.ipv6.conf.default.autoconf = 0 +# net.ipv6.conf.default.dad_transmits = 0 +# net.ipv6.conf.default.max_addresses = 0 + +# Avoid a smurf attack +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# Turn on protection for bad icmp error messages +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Turn on syncookies for SYN flood attack protection +net.ipv4.tcp_syncookies = 1 + +## protect against tcp time-wait assassination hazards +## drop RST packets for sockets in the time-wait state +## (not widely supported outside of linux, but conforms to RFC) +net.ipv4.tcp_rfc1337 = 1 + +## tcp timestamps +## + protect against wrapping sequence numbers (at gigabit speeds) +## + round trip time calculation implemented in TCP +## - causes extra overhead and allows uptime detection by scanners like nmap +## enable @ gigabit speeds +net.ipv4.tcp_timestamps = 0 +#net.ipv4.tcp_timestamps = 1 + +# Turn on and log spoofed, source routed, and redirect packets +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +## ignore echo broadcast requests to prevent being part of smurf attacks (default) +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# No source routed packets here +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 + +## sets the kernels reverse path filtering mechanism to value 1(on) +## will do source validation of the packet's recieved from all the interfaces on the machine +## protects from attackers that are using ip spoofing methods to do harm +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 +net.ipv6.conf.default.rp_filter = 1 +net.ipv6.conf.all.rp_filter = 1 + +# Make sure no one can alter the routing tables +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 + +# Act as a router, necessary for Access Point +net.ipv4.ip_forward = 1 +net.ipv4.conf.all.send_redirects = 1 +net.ipv4.conf.default.send_redirects = 1 + +kernel.shmmax = 500000000 +# Turn on execshild +kernel.exec-shield = 1 +kernel.randomize_va_space = 1 + +# Optimization for port usefor LBs +# Increase system file descriptor limit +fs.file-max = 65535 + +# Allow for more PIDs (to reduce rollover problems); may break some programs 32768 +kernel.pid_max = 65536 + +# Increase system IP port limits +net.ipv4.ip_local_port_range = 2000 65000 + +# Increase TCP max buffer size setable using setsockopt() +net.ipv4.tcp_rmem = 4096 87380 8388608 +net.ipv4.tcp_wmem = 4096 87380 8388608 + +# Increase Linux auto tuning TCP buffer limits +# min, default, and max number of bytes to use +# set max to at least 4MB, or higher if you use very high BDP paths +# Tcp Windows etc +net.core.rmem_max = 8388608 +net.core.wmem_max = 8388608 +net.core.netdev_max_backlog = 5000 +net.ipv4.tcp_window_scaling = 1 + +# End of file + -- cgit 1.4.1-2-gfad0