Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. #
  2. # /etc/sysctl.conf - Configuration file for setting system variables
  3. # See /etc/sysctl.d/ for additional system variables.
  4. # See sysctl.conf (5) for information.
  5. #
  6.  
  7. #kernel.domainname = example.com
  8.  
  9. # Uncomment the following to stop low-level messages on console
  10. #kernel.printk = 3 4 1 3
  11.  
  12. ##############################################################3
  13. # Functions previously found in netbase
  14. #
  15.  
  16. # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
  17. # Turn on Source Address Verification in all interfaces to
  18. # prevent some spoofing attacks
  19. #net.ipv4.conf.default.rp_filter=1
  20. #net.ipv4.conf.all.rp_filter=1
  21.  
  22. # Uncomment the next line to enable TCP/IP SYN cookies
  23. # See http://lwn.net/Articles/277146/
  24. # Note: This may impact IPv6 TCP sessions too
  25. #net.ipv4.tcp_syncookies=1
  26.  
  27. # Uncomment the next line to enable packet forwarding for IPv4
  28. #net.ipv4.ip_forward=1
  29.  
  30. # Uncomment the next line to enable packet forwarding for IPv6
  31. # Enabling this option disables Stateless Address Autoconfiguration
  32. # based on Router Advertisements for this host
  33. #net.ipv6.conf.all.forwarding=1
  34.  
  35.  
  36. ###################################################################
  37. # Additional settings - these settings can improve the network
  38. # security of the host and prevent against some network attacks
  39. # including spoofing attacks and man in the middle attacks through
  40. # redirection. Some network environments, however, require that these
  41. # settings are disabled so review and enable them as needed.
  42. #
  43. # Do not accept ICMP redirects (prevent MITM attacks)
  44. #net.ipv4.conf.all.accept_redirects = 0
  45. #net.ipv6.conf.all.accept_redirects = 0
  46. # _or_
  47. # Accept ICMP redirects only for gateways listed in our default
  48. # gateway list (enabled by default)
  49. # net.ipv4.conf.all.secure_redirects = 1
  50. #
  51. # Do not send ICMP redirects (we are not a router)
  52. #net.ipv4.conf.all.send_redirects = 0
  53. #
  54. # Do not accept IP source route packets (we are not a router)
  55. #net.ipv4.conf.all.accept_source_route = 0
  56. #net.ipv6.conf.all.accept_source_route = 0
  57. #
  58. # Log Martian Packets
  59. #net.ipv4.conf.all.log_martians = 1
  60. #
  61.  
  62. ## added by samiux for performance and security
  63.  
  64. # performance tuning
  65. kernel.sem = 250 32000 100 128
  66. kernel.shmall = 2097152
  67. kernel.shmmax = 2147483648
  68. kernel.shmmni = 4096
  69. # If you have more than 512MB RAM, use this setting unless comment it out
  70. fs.file-max = 262140
  71. # If you have 512MB RAM or less, uncomment this setting; otherwise, comment it out
  72. #fs.file-max = 65535
  73. vm.swappiness = 1
  74. vm.vfs_cache_pressure = 50
  75. vm.min_free_kbytes = 65536
  76.  
  77. net.core.rmem_default = 33554432
  78. net.core.rmem_max = 33554432
  79. net.core.wmem_default = 33554432
  80. net.core.wmem_max = 33554432
  81. net.ipv4.tcp_rmem = 10240 87380 33554432
  82. net.ipv4.tcp_wmem = 10240 87380 33554432
  83. net.ipv4.tcp_no_metrics_save = 1
  84. net.ipv4.tcp_window_scaling = 1
  85. net.ipv4.ip_local_port_range = 1024 65535
  86. net.ipv4.tcp_max_tw_buckets = 360000
  87.  
  88. net.ipv4.tcp_max_orphans = 3276800
  89. net.ipv4.tcp_tw_reuse = 1
  90. net.ipv4.tcp_tw_recycle = 1
  91. net.ipv4.tcp_syn_retries = 2
  92. net.ipv4.tcp_synack_retries = 2
  93. net.core.somaxconn = 32768
  94. net.core.netdev_max_backlog = 32768
  95. net.ipv4.tcp_max_syn_backlog = 65536
  96. net.ipv4.tcp_mem = 94500000 915000000 927000000
  97.  
  98. # security setting
  99.  
  100. ## protect against tcp time-wait assassination hazards
  101. ## drop RST packets for sockets in the time-wait state
  102. ## (not widely supported outside of linux, but conforms to RFC)
  103. net.ipv4.tcp_rfc1337 = 1
  104.  
  105. ## tcp timestamps
  106. ## + protect against wrapping sequence numbers (at gigabit speeds)
  107. ## + round trip time calculation implemented in TCP
  108. ## - causes extra overhead and allows uptime detection by scanners like nmap
  109. ## enable @ gigabit speeds
  110. net.ipv4.tcp_timestamps = 0
  111.  
  112. net.ipv4.tcp_fin_timeout = 15
  113. net.ipv4.tcp_orphan_retries = 2
  114. net.ipv4.conf.all.accept_redirects = 0
  115.  
  116. ## send redirects (not a router, disable it)
  117. net.ipv4.conf.all.send_redirects = 0
  118.  
  119. ## ICMP routing redirects (only secure)
  120. net.ipv4.conf.default.accept_redirects = 0
  121. net.ipv4.conf.all.secure_redirects = 0
  122. net.ipv4.conf.default.secure_redirects = 0
  123. net.ipv6.conf.default.accept_redirects = 0
  124. net.ipv6.conf.all.secure_redirects = 0
  125. net.ipv6.conf.default.secure_redirects = 0
  126.  
  127. ## log martian packets
  128. net.ipv4.conf.all.log_martians = 1
  129. net.ipv4.conf.default.log_martians = 1
  130.  
  131. net.ipv4.conf.all.accept_source_route = 0
  132. net.ipv4.conf.default.accept_source_route = 0
  133.  
  134. ## sets the kernels reverse path filtering mechanism to value 1(on)
  135. ## will do source validation of the packet's recieved from all the interfaces on the machine
  136. ## protects from attackers that are using ip spoofing methods to do harm
  137. net.ipv4.conf.all.rp_filter = 1
  138. net.ipv6.conf.all.rp_filter = 1
  139.  
  140. net.ipv4.conf.default.rp_filter = 1
  141.  
  142. ## TCP SYN cookie protection (default)
  143. ## helps protect against SYN flood attacks
  144. ## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
  145. net.ipv4.tcp_syncookies = 1
  146.  
  147. ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
  148. net.ipv4.icmp_echo_ignore_broadcasts = 1
  149.  
  150. ## ignore bogus icmp errors (default)
  151. net.ipv4.icmp_ignore_bogus_error_responses = 1
  152.  
  153. # network traffic congestion control
  154. net.ipv4.tcp_congestion_control=htcp
  155.  
  156. # I/O tuning
  157. #vm.dirty_background_ratio = 0
  158. vm.dirty_background_ratio = 2
  159. vm.dirty_background_bytes = 209715200
  160. vm.dirty_ratio = 40
  161. vm.dirty_bytes = 209715200
  162. vm.dirty_writeback_centisecs = 100
  163. vm.dirty_expire_centisecs = 200
  164.  
  165. # Buffer Overflow Protection in Ubuntu only
  166. # Enable "No Execute (NX)" or "Execute Disable (XD)" in BIOS/UEFI
  167. # Then run : sudo dmesg | grep --color '[NX|XD]*protection'
  168. # If you see "NX (Execute Disable) protection: active" or similar, your
  169. # kernel is protected from Buffer Overflow.
  170.  
  171. # Buffer Overflow Protection in RedHat/CentOS/Fedora only
  172. #kernel.exec-shield = 1
  173.  
  174. # Enable ASLR
  175. # 0 - Do not randomize stack and vdso page.
  176. # 1 - Turn on protection and randomize stack, vdso page and mmap.
  177. # 2 - Turn on protection and randomize stack, vdso page and mmap +
  178. # randomize brk base address.
  179. kernel.randomize_va_space = 2