Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #
- # /etc/sysctl.conf - Configuration file for setting system variables
- # See /etc/sysctl.d/ for additional system variables.
- # See sysctl.conf (5) for information.
- #
- #kernel.domainname = example.com
- # Uncomment the following to stop low-level messages on console
- #kernel.printk = 3 4 1 3
- ##############################################################3
- # Functions previously found in netbase
- #
- # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
- # Turn on Source Address Verification in all interfaces to
- # prevent some spoofing attacks
- #net.ipv4.conf.default.rp_filter=1
- #net.ipv4.conf.all.rp_filter=1
- # Uncomment the next line to enable TCP/IP SYN cookies
- # See http://lwn.net/Articles/277146/
- # Note: This may impact IPv6 TCP sessions too
- #net.ipv4.tcp_syncookies=1
- # Uncomment the next line to enable packet forwarding for IPv4
- #net.ipv4.ip_forward=1
- # Uncomment the next line to enable packet forwarding for IPv6
- # Enabling this option disables Stateless Address Autoconfiguration
- # based on Router Advertisements for this host
- #net.ipv6.conf.all.forwarding=1
- ###################################################################
- # Additional settings - these settings can improve the network
- # security of the host and prevent against some network attacks
- # including spoofing attacks and man in the middle attacks through
- # redirection. Some network environments, however, require that these
- # settings are disabled so review and enable them as needed.
- #
- # Do not accept ICMP redirects (prevent MITM attacks)
- #net.ipv4.conf.all.accept_redirects = 0
- #net.ipv6.conf.all.accept_redirects = 0
- # _or_
- # Accept ICMP redirects only for gateways listed in our default
- # gateway list (enabled by default)
- # net.ipv4.conf.all.secure_redirects = 1
- #
- # Do not send ICMP redirects (we are not a router)
- #net.ipv4.conf.all.send_redirects = 0
- #
- # Do not accept IP source route packets (we are not a router)
- #net.ipv4.conf.all.accept_source_route = 0
- #net.ipv6.conf.all.accept_source_route = 0
- #
- # Log Martian Packets
- #net.ipv4.conf.all.log_martians = 1
- #
- ## added by samiux for performance and security
- # performance tuning
- kernel.sem = 250 32000 100 128
- kernel.shmall = 2097152
- kernel.shmmax = 2147483648
- kernel.shmmni = 4096
- # If you have more than 512MB RAM, use this setting unless comment it out
- fs.file-max = 262140
- # If you have 512MB RAM or less, uncomment this setting; otherwise, comment it out
- #fs.file-max = 65535
- vm.swappiness = 1
- vm.vfs_cache_pressure = 50
- vm.min_free_kbytes = 65536
- net.core.rmem_default = 33554432
- net.core.rmem_max = 33554432
- net.core.wmem_default = 33554432
- net.core.wmem_max = 33554432
- net.ipv4.tcp_rmem = 10240 87380 33554432
- net.ipv4.tcp_wmem = 10240 87380 33554432
- net.ipv4.tcp_no_metrics_save = 1
- net.ipv4.tcp_window_scaling = 1
- net.ipv4.ip_local_port_range = 1024 65535
- net.ipv4.tcp_max_tw_buckets = 360000
- net.ipv4.tcp_max_orphans = 3276800
- net.ipv4.tcp_tw_reuse = 1
- net.ipv4.tcp_tw_recycle = 1
- net.ipv4.tcp_syn_retries = 2
- net.ipv4.tcp_synack_retries = 2
- net.core.somaxconn = 32768
- net.core.netdev_max_backlog = 32768
- net.ipv4.tcp_max_syn_backlog = 65536
- net.ipv4.tcp_mem = 94500000 915000000 927000000
- # security setting
- ## protect against tcp time-wait assassination hazards
- ## drop RST packets for sockets in the time-wait state
- ## (not widely supported outside of linux, but conforms to RFC)
- net.ipv4.tcp_rfc1337 = 1
- ## tcp timestamps
- ## + protect against wrapping sequence numbers (at gigabit speeds)
- ## + round trip time calculation implemented in TCP
- ## - causes extra overhead and allows uptime detection by scanners like nmap
- ## enable @ gigabit speeds
- net.ipv4.tcp_timestamps = 0
- net.ipv4.tcp_fin_timeout = 15
- net.ipv4.tcp_orphan_retries = 2
- net.ipv4.conf.all.accept_redirects = 0
- ## send redirects (not a router, disable it)
- net.ipv4.conf.all.send_redirects = 0
- ## ICMP routing redirects (only secure)
- net.ipv4.conf.default.accept_redirects = 0
- net.ipv4.conf.all.secure_redirects = 0
- net.ipv4.conf.default.secure_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
- net.ipv6.conf.all.secure_redirects = 0
- net.ipv6.conf.default.secure_redirects = 0
- ## log martian packets
- net.ipv4.conf.all.log_martians = 1
- net.ipv4.conf.default.log_martians = 1
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv4.conf.default.accept_source_route = 0
- ## sets the kernels reverse path filtering mechanism to value 1(on)
- ## will do source validation of the packet's recieved from all the interfaces on the machine
- ## protects from attackers that are using ip spoofing methods to do harm
- net.ipv4.conf.all.rp_filter = 1
- net.ipv6.conf.all.rp_filter = 1
- net.ipv4.conf.default.rp_filter = 1
- ## TCP SYN cookie protection (default)
- ## helps protect against SYN flood attacks
- ## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
- net.ipv4.tcp_syncookies = 1
- ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
- net.ipv4.icmp_echo_ignore_broadcasts = 1
- ## ignore bogus icmp errors (default)
- net.ipv4.icmp_ignore_bogus_error_responses = 1
- # network traffic congestion control
- net.ipv4.tcp_congestion_control=htcp
- # I/O tuning
- #vm.dirty_background_ratio = 0
- vm.dirty_background_ratio = 2
- vm.dirty_background_bytes = 209715200
- vm.dirty_ratio = 40
- vm.dirty_bytes = 209715200
- vm.dirty_writeback_centisecs = 100
- vm.dirty_expire_centisecs = 200
- # Buffer Overflow Protection in Ubuntu only
- # Enable "No Execute (NX)" or "Execute Disable (XD)" in BIOS/UEFI
- # Then run : sudo dmesg | grep --color '[NX|XD]*protection'
- # If you see "NX (Execute Disable) protection: active" or similar, your
- # kernel is protected from Buffer Overflow.
- # Buffer Overflow Protection in RedHat/CentOS/Fedora only
- #kernel.exec-shield = 1
- # Enable ASLR
- # 0 - Do not randomize stack and vdso page.
- # 1 - Turn on protection and randomize stack, vdso page and mmap.
- # 2 - Turn on protection and randomize stack, vdso page and mmap +
- # randomize brk base address.
- kernel.randomize_va_space = 2
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement