etc_sysctl.conf

1. #
2. # Kernel sysctl configuration
3. #
4.  
5. # Disable the magic-sysrq key (console security issues)
6. kernel.sysrq = 0
7.  
8. ## disable ALL packet forwarding (not a router, disable it)
9. net.ipv4.ip_forward = 0
10.  
11. ## forwarding (not a router, disable it)
12. net.ipv4.conf.all.mc_forwarding = 0
13. net.ipv4.conf.default.mc_forwarding = 0
14. net.ipv4.conf.all.forwarding = 0
15. net.ipv4.conf.default.forwarding = 0
16.  
17. ## log martian packets
18. net.ipv4.conf.all.log_martians = 1
19.  
20. ## TCP SYN cookie protection
21. ## helps protect against SYN flood attacks
22. ## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
23. net.ipv4.tcp_syncookies = 1
24.  
25. # Block Ping Request
26. net.ipv4.icmp_echo_ignore_all = 1
27.  
28. ## protect against tcp time-wait assassination hazards
29. ## drop RST packets for sockets in the time-wait state
30. ## (not widely supported outside of linux, but conforms to RFC)
31. net.ipv4.tcp_rfc1337 = 1
32.  
33. ## tcp timestamps
34. ## + protect against wrapping sequence numbers (at gigabit speeds)
35. ## + round trip time calculation implemented in TCP
36. ## - causes extra overhead and allows uptime detection by scanners like nmap
37. ## enable @ gigabit speeds
38. net.ipv4.tcp_timestamps = 0
39. #net.ipv4.tcp_timestamps = 1
40.  
41. ## source address verification (sanity checking)
42. ## helps protect against spoofing attacks
43. net.ipv4.conf.all.rp_filter = 1
44.  
45. ## ignore echo broadcast requests to prevent being part of smurf attacks
46. net.ipv4.icmp_echo_ignore_broadcasts = 1
47.  
48. ## ignore bogus icmp errors
49. net.ipv4.icmp_ignore_bogus_error_responses = 1
50.  
51. ## IP source routing (insecure, disable it)
52. net.ipv4.conf.all.accept_source_route = 0
53.  
54. ## send redirects (not a router, disable it)
55. net.ipv4.conf.all.send_redirects = 0
56.  
57. ## ICMP routing redirects (only secure)
58. net.ipv4.conf.all.accept_redirects = 0
59. net.ipv4.conf.all.secure_redirects = 1
60.  
61.