API tools faq
paste
Advertisement
tamanmerah

/etc/sysctl.conf

tamanmerah
Feb 4th, 2019
298
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.18 KB | None | 0 0
raw download clone embed print report
  1. # Kernel sysctl configuration file for Linux
  2. # Version 1.13 - 2019-3-2
  3. # Day Milovich,,
  4. # credit mentioned below, not by me : )
  5. # nano /etc/sysctl.conf
  6. # edit save exit
  7. # then activate with:
  8. # sysctl -e -p /etc/sysctl.conf
  9. #
  10. # uname -a
  11. # Linux kali 4.18.0-kali2-amd64 #1 SMP Debian 4.18.10-2kali1 (2018-10-09) x86_64 GNU/Linux
  12. # ----------
  13. # Credits:
  14. # http://www.enigma.id.au/linux_tuning.txt
  15. # http://www.securityfocus.com/infocus/1729
  16. # http://fasterdata.es.net/TCP-tuning/linux.html
  17. # http://fedorahosted.org/ktune/browser/sysctl.ktune
  18. # http://www.cymru.com/Documents/ip-stack-tuning.html
  19. # http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
  20. # http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
  21. # http://knol.google.com/k/linux-performance-tuning-and-measurement
  22. # http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
  23. # http://www.redbooks.ibm.com/abstracts/REDP4285.html
  24. # http://www.speedguide.net/read_articles.php?id=121
  25. # http://lartc.org/howto/lartc.kernel.obscure.html
  26. # http://en.wikipedia.org/wiki/Sysctl
  27.  
  28. # network security section
  29. # no syn attack, enable syncookies
  30. net.ipv4.tcp_syncookies = 1
  31. net.ipv4.tcp_syn_retries = 2
  32. net.ipv4.tcp_synack_retries = 2
  33. net.ipv4.tcp_max_syn_backlog = 1024
  34. # no packet forwarding
  35. net.ipv4.ip_forward = 0
  36. net.ipv4.conf.all.forwarding = 0
  37. net.ipv4.conf.default.forwarding = 0
  38. net.ipv6.conf.all.forwarding = 0
  39. net.ipv6.conf.default.forwarding = 0
  40. # no ip source routing
  41. net.ipv4.conf.all.send_redirects = 0
  42. net.ipv4.conf.default.send_redirects = 0
  43. net.ipv4.conf.all.accept_source_route = 0
  44. net.ipv4.conf.default.accept_source_route = 0
  45. net.ipv6.conf.all.accept_source_route = 0
  46. net.ipv6.conf.default.accept_source_route = 0
  47. # ip spoofing protection and source route verification
  48. net.ipv4.conf.all.rp_filter = 1
  49. net.ipv4.conf.default.rp_filter = 1
  50. # no icmp redir acceptance
  51. net.ipv4.conf.all.accept_redirects = 0
  52. net.ipv4.conf.default.accept_redirects = 0
  53. net.ipv4.conf.all.secure_redirects = 0
  54. net.ipv4.conf.default.secure_redirects = 0
  55. net.ipv6.conf.all.accept_redirects = 0
  56. net.ipv6.conf.default.accept_redirects = 0
  57. # enable log spoofed packets, source routed packets, redirect packets
  58. net.ipv4.conf.all.log_martians = 1
  59. net.ipv4.conf.default.log_martians = 1
  60. # decrease the time
  61. net.ipv4.tcp_fin_timeout = 7
  62. net.ipv4.tcp_keepalive_time = 300
  63. net.ipv4.tcp_keepalive_probes = 5
  64. net.ipv4.tcp_keepalive_intvl = 15
  65. # no relay bootp
  66. net.ipv4.conf.all.bootp_relay = 0
  67. # no proxy arp
  68. net.ipv4.conf.all.proxy_arp = 0
  69. # you can not ping me
  70. net.ipv4.icmp_echo_ignore_all = 1
  71. # Enable ignoring broadcasts request
  72. # net.ipv4.icmp_echo_ignore_broadcasts = 1
  73. # Enable bad error message Protection
  74. # net.ipv4.icmp_ignore_bogus_error_responses = 1
  75. # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
  76. # net.ipv4.tcp_rfc1337 = 1
  77. # Do not auto-configure IPv6
  78. # net.ipv6.conf.all.autoconf=0
  79. # net.ipv6.conf.all.accept_ra=0
  80. # net.ipv6.conf.default.autoconf=0
  81. # net.ipv6.conf.default.accept_ra=0
  82. # net.ipv6.conf.eth0.autoconf=0
  83. # net.ipv6.conf.eth0.accept_ra=0
  84. ### TUNING NETWORK PERFORMANCE ###
  85. # For high-bandwidth low-latency networks, use 'htcp' congestion control
  86. # Do a 'modprobe tcp_htcp' first
  87. net.ipv4.tcp_congestion_control = htcp
  88. # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
  89. net.core.default_qdisc = fq
  90. # Turn on the tcp_window_scaling
  91. net.ipv4.tcp_window_scaling = 1
  92. # Increase the read-buffer space allocatable
  93. net.ipv4.tcp_rmem = 8192 87380 16777216
  94. net.ipv4.udp_rmem_min = 16384
  95. net.core.rmem_default = 262144
  96. net.core.rmem_max = 16777216
  97. # Increase the write-buffer-space allocatable
  98. net.ipv4.tcp_wmem = 8192 65536 16777216
  99. net.ipv4.udp_wmem_min = 16384
  100. net.core.wmem_default = 262144
  101. net.core.wmem_max = 16777216
  102. # Increase number of incoming connections
  103. net.core.somaxconn = 32768
  104. # Increase number of incoming connections backlog
  105. net.core.netdev_max_backlog = 16384
  106. net.core.dev_weight = 64
  107. # Increase the maximum amount of option memory buffers
  108. net.core.optmem_max = 65535
  109. # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
  110. net.ipv4.tcp_max_tw_buckets = 1440000
  111. # try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
  112. net.ipv4.tcp_tw_recycle = 0
  113. net.ipv4.tcp_tw_reuse = 1
  114. # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
  115. net.ipv4.tcp_max_orphans = 16384
  116. net.ipv4.tcp_orphan_retries = 0
  117. # Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
  118. net.ipv4.ipfrag_low_thresh = 196608
  119. net.ipv6.ip6frag_low_thresh = 196608
  120. net.ipv4.ipfrag_high_thresh = 262144
  121. net.ipv6.ip6frag_high_thresh = 262144
  122. # don't cache ssthresh from previous connection
  123. net.ipv4.tcp_no_metrics_save = 1
  124. net.ipv4.tcp_moderate_rcvbuf = 1
  125. # Increase size of RPC datagram queue length
  126. net.unix.max_dgram_qlen = 50
  127. # Don't allow the arp table to become bigger than this
  128. net.ipv4.neigh.default.gc_thresh3 = 2048
  129. # Tell the gc when to become aggressive with arp table cleaning.
  130. # Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
  131. net.ipv4.neigh.default.gc_thresh2 = 1024
  132. # Adjust where the gc will leave arp table alone - set to 32.
  133. net.ipv4.neigh.default.gc_thresh1 = 32
  134. # Adjust to arp table gc to clean-up more often
  135. net.ipv4.neigh.default.gc_interval = 30
  136. # Increase TCP queue length
  137. net.ipv4.neigh.default.proxy_qlen = 96
  138. net.ipv4.neigh.default.unres_qlen = 6
  139. # Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
  140. net.ipv4.tcp_ecn = 1
  141. net.ipv4.tcp_reordering = 3
  142. # How many times to retry killing an alive TCP connection
  143. net.ipv4.tcp_retries2 = 15
  144. net.ipv4.tcp_retries1 = 3
  145. # Avoid falling back to slow start after a connection goes idle
  146. # keeps our cwnd large with the keep alive connections (kernel > 3.6)
  147. net.ipv4.tcp_slow_start_after_idle = 0
  148. # Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
  149. net.ipv4.tcp_fastopen = 3
  150. # This will ensure that immediatly subsequent connections use the new values
  151. net.ipv4.route.flush = 1
  152. # net.ipv6.route.flush = 1
  153. ### Comments/suggestions/additions are welcome!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!