sysctl:harden_the_system_using_sysctl
Differences
This shows you the differences between two versions of the page.
| sysctl:harden_the_system_using_sysctl [2017/04/04 14:55] – created peter | sysctl:harden_the_system_using_sysctl [2019/12/04 21:46] (current) – removed peter | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Sysctl - Harden the system using sysctl ====== | ||
| - | Edit / | ||
| - | |||
| - | <file bash / | ||
| - | # Avoid a smurf attack | ||
| - | net.ipv4.icmp_echo_ignore_broadcasts = 1 | ||
| - | |||
| - | # Turn on protection for bad icmp error messages | ||
| - | net.ipv4.icmp_ignore_bogus_error_responses = 1 | ||
| - | |||
| - | # Turn on syncookies for SYN flood attack protection | ||
| - | net.ipv4.tcp_syncookies = 1 | ||
| - | |||
| - | # Turn on and log spoofed, source routed, and redirect packets | ||
| - | net.ipv4.conf.all.log_martians = 1 | ||
| - | net.ipv4.conf.default.log_martians = 1 | ||
| - | |||
| - | # No source routed packets here | ||
| - | net.ipv4.conf.all.accept_source_route = 0 | ||
| - | net.ipv4.conf.default.accept_source_route = 0 | ||
| - | |||
| - | # Turn on reverse path filtering | ||
| - | net.ipv4.conf.all.rp_filter = 1 | ||
| - | net.ipv4.conf.default.rp_filter = 1 | ||
| - | |||
| - | # Make sure no one can alter the routing tables | ||
| - | net.ipv4.conf.all.accept_redirects = 0 | ||
| - | net.ipv4.conf.default.accept_redirects = 0 | ||
| - | net.ipv4.conf.all.secure_redirects = 0 | ||
| - | net.ipv4.conf.default.secure_redirects = 0 | ||
| - | |||
| - | # Don't act as a router | ||
| - | net.ipv4.ip_forward = 0 | ||
| - | net.ipv4.conf.all.send_redirects = 0 | ||
| - | net.ipv4.conf.default.send_redirects = 0 | ||
| - | |||
| - | |||
| - | # Turn on execshild | ||
| - | kernel.exec-shield = 1 | ||
| - | kernel.randomize_va_space = 1 | ||
| - | |||
| - | # Tuen IPv6 | ||
| - | net.ipv6.conf.default.router_solicitations = 0 | ||
| - | net.ipv6.conf.default.accept_ra_rtr_pref = 0 | ||
| - | net.ipv6.conf.default.accept_ra_pinfo = 0 | ||
| - | net.ipv6.conf.default.accept_ra_defrtr = 0 | ||
| - | net.ipv6.conf.default.autoconf = 0 | ||
| - | net.ipv6.conf.default.dad_transmits = 0 | ||
| - | net.ipv6.conf.default.max_addresses = 1 | ||
| - | |||
| - | # Optimization for port usefor LBs | ||
| - | # Increase system file descriptor limit | ||
| - | fs.file-max = 65535 | ||
| - | |||
| - | # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 | ||
| - | kernel.pid_max = 65536 | ||
| - | |||
| - | # Increase system IP port limits | ||
| - | net.ipv4.ip_local_port_range = 2000 65000 | ||
| - | |||
| - | # Increase TCP max buffer size setable using setsockopt() | ||
| - | net.ipv4.tcp_rmem = 4096 87380 8388608 | ||
| - | net.ipv4.tcp_wmem = 4096 87380 8388608 | ||
| - | |||
| - | # Increase Linux auto tuning TCP buffer limits | ||
| - | # min, default, and max number of bytes to use | ||
| - | # set max to at least 4MB, or higher if you use very high BDP paths | ||
| - | # Tcp Windows etc | ||
| - | net.core.rmem_max = 8388608 | ||
| - | net.core.wmem_max = 8388608 | ||
| - | net.core.netdev_max_backlog = 5000 | ||
| - | net.ipv4.tcp_window_scaling = 1 | ||
| - | </ | ||
sysctl/harden_the_system_using_sysctl.1491317719.txt.gz · Last modified: 2020/07/15 09:30 (external edit)