Sysctl references Arch TCP/IP stack hardening, Cyberciti Nginx Hardning, Cyberciti Security Hardening.
# # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) # kernel.printk = 7 1 1 4 kernel.randomize_va_space = 2 # Shared Memory #kernel.shmmax = 500000000 # Total allocated file handlers that can be allocated # fs.file-nr= vm.mmap_min_addr=65536 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 # # Filesystem Protections # # Optimization for port usefor LBs # Increase system file descriptor limit fs.file-max = 65535 # Hide symbol addresses in /proc/kallsyms kernel.kptr_restrict = 2 # # Network Protections # # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use # set max to at least 4MB, or higher if you use very high BDP paths # Tcp Windows etc net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 # Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # Tuen IPv6 #net.ipv6.conf.default.router_solicitations = 0 #net.ipv6.conf.default.accept_ra_rtr_pref = 0 #net.ipv6.conf.default.accept_ra_pinfo = 0 #net.ipv6.conf.default.accept_ra_defrtr = 0 #net.ipv6.conf.default.autoconf = 0 #net.ipv6.conf.default.dad_transmits = 0 #net.ipv6.conf.default.max_addresses = 0 # Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages net.ipv4.icmp_ignore_bogus_error_responses = 1 # Turn on syncookies for SYN flood attack protection net.ipv4.tcp_syncookies = 1 ## protect against tcp time-wait assassination hazards ## drop RST packets for sockets in the time-wait state ## (not widely supported outside of linux, but conforms to RFC) net.ipv4.tcp_rfc1337 = 1 ## tcp timestamps ## + protect against wrapping sequence numbers (at gigabit speeds) ## + round trip time calculation implemented in TCP ## - causes extra overhead and allows uptime detection by scanners like nmap ## enable @ gigabit speeds net.ipv4.tcp_timestamps = 0 #net.ipv4.tcp_timestamps = 1 # Turn on and log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 ## ignore echo broadcast requests to prevent being part of smurf attacks (default) net.ipv4.icmp_echo_ignore_broadcasts = 1 ## sets the kernels reverse path filtering mechanism to value 1(on) ## will do source validation of the packet's recieved from all the interfaces on the machine ## protects from attackers that are using ip spoofing methods to do harm net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 # Make sure no one can alter the routing tables # Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # No source routed packets here # Discard packets with source routes, ip spoofing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.ip_forward = 0 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 # Increase TCP max buffer size setable using setsockopt() net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 # Disable proxy_arp net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.all.proxy_arp = 0 # Disable bootp_relay net.ipv4.conf.default.bootp_relay = 0 net.ipv4.conf.all.bootp_relay = 0 # Decrease TCP fin timeout net.ipv4.tcp_fin_timeout = 30 # Decrease TCP keep alive time net.ipv4.tcp_keepalive_time = 1800 # Sen SynAck retries to 3 net.ipv4.tcp_synack_retries = 3 # End of file
Reload sysctl settings;
# sysctl --systemCore OS Index
This is part of the Hive System Documentation. Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.