Tweaked sysctl.conf example

1. # fuck ip6
2. net.ipv6.conf.all.disable_ipv6=1
3. net.ipv6.conf.default.disable_ipv6=1
4. net.ipv6.conf.lo.disable_ipv6=1
5.  
6. # syncookies are not useful nowadays and have privacy risks, so disable
7. net.ipv4.tcp_syncookies=0
8. net.ipv4.ip_local_port_range = 2000 65000
9. kernel.domainname = 0x2e88ce4
10.  
11. # tighten up standards for when to dump or refuse to instantiate TCP sessions
12. net.ipv4.tcp_sack=0
13. net.ipv4.tcp_timestamps=1
14. net.ipv4.tcp_synack_retries=2
15. net.ipv4.tcp_syn_retries=2
16. net.ipv4.tcp_window_scaling=0
17. net.ipv4.tcp_fin_timeout=15
18. net.ipv4.tcp_keepalive_time=42
19. net.ipv4.tcp_max_tw_buckets=777
20. net.ipv4.tcp_max_syn_backlog=666
21.  
22. # packet fragmentation constraints, pretty much super-paranoid settings
23. net.ipv4.ipfrag_high_thresh=4194
24. net.ipv4.ipfrag_low_thresh=3145
25. net.ipv4.ipfrag_max_dist=24
26. net.ipv4.ipfrag_secret_interval=99
27. net.ipv4.ipfrag_time=30
28.  
29. # tighten up kernel-defined auto-tuning TCP buffer limits
30. net.core.rmem_max=8388608
31. net.core.wmem_max=8388608
32. net.core.netdev_max_backlog=5000
33.  
34. # NIC bindings and other topopological hygeine
35. net.ipv4.ip_no_pmtu_disc=0
36. net.ipv4.ip_nonlocal_bind=0
37. net.ipv4.ip_forward=0
38. net.ipv4.ip_default_ttl=86
39. net.ipv4.ip_dynaddr=0
40. net.ipv4.ip_early_demux=1
41. net.ipv4.ip_forward_use_pmtu=0
42.  
43. # not routing redirected ICMP packets, in or out
44. net.ipv4.conf.all.accept_redirects=0
45. net.ipv4.conf.default.accept_redirects=0
46. net.ipv4.conf.lo.accept_redirects=0
47. net.ipv4.conf.default.send_redirects=0
48. net.ipv4.conf.all.send_redirects=0
49. net.ipv4.conf.lo.send_redirects=0
50.  
51. # Do not accept packets using ‘source route’ function to convince usthey’re legit, ‘cause prolly not
52. net.ipv4.conf.all.accept_source_route=0
53. net.ipv4.conf.default.accept_source_route=0
54. net.ipv4.conf.lo.accept_source_route=0
55.  
56. # spoof protection heuristic, viz. ‘validation by reversed path’ (as specified in RFC1812)
57. net.ipv4.conf.default.rp_filter=1
58. net.ipv4.conf.all.rp_filter=1
59. net.ipv4.conf.lo.rp_filter=1
60.  
61. # esoteric metaparameters
62. kernel.sysrq=0
63. net.ipv4.fwmark_reflect=0
64. kernel.randomize_va_space=1
65. net.ipv4.igmp_max_memberships=13
66. net.ipv4.igmp_max_msf=10
67.  
68. # kernel packet logging mechanics
69. kernel.core_uses_pid=1
70. net.ipv4.icmp_ignore_bogus_error_responses=1
71. net.ipv4.conf.default.log_martians=1
72. net.ipv4.conf.all.log_martians=1
73. net.ipv4.conf.lo.log_martians=1
74.  
75. # not interested in replying to pings... pretty much ever
76. net.ipv4.icmp_echo_ignore_all=1
77. net.ipv4.icmp_ratelimit=42
78. net.ipv4.icmp_ratemask=68
79. net.ipv4.icmp_echo_ignore_broadcasts=1
80. net.ipv4.icmp_errors_use_inbound_ifaddr=1
81.  
82. # still fine-tuning these, tbh
83. net.ipv4.inet_peer_maxttl=300
84. net.ipv4.inet_peer_minttl=120
85. net.ipv4.inet_peer_threshold=6566
86. net.ipv4.conf.all.igmpv2_unsolicited_report_interval=10000
87. net.ipv4.conf.all.igmpv3_unsolicited_report_interval=1000
88. net.ipv4.conf.all.medium_id=0
89. net.ipv4.conf.all.promote_secondaries=0
90.  
91. # ARP-y paranoia on the LAN
92. net.ipv4.conf.all.accept_local=0
93. net.ipv4.conf.all.route_localnet=0
94. net.ipv4.conf.all.src_valid_mark=0
95. net.ipv4.conf.all.arp_accept=0
96. net.ipv4.conf.all.arp_announce=0
97. net.ipv4.conf.all.arp_ignore=0
98. net.ipv4.conf.all.arp_notify=0
99. net.ipv4.conf.all.bootp_relay=0
100. net.ipv4.conf.all.disable_policy=0
101. net.ipv4.conf.all.disable_xfrm=1
102.  
103. # some kernel-hardening stuff,
104. net.ipv4.conf.all.proxy_arp_pvlan=0
105. net.ipv4.conf.default.proxy_arp_pvlan=0
106. net.ipv4.conf.all.proxy_arp=0
107. net.ipv4.conf.default.proxy_arp=0
108. net.ipv4.conf.all.arp_filter=1
109. net.ipv4.conf.default.arp_filter=1
110. net.ipv4.conf.all.shared_media=0
111. net.ipv4.conf.default.shared_media=0