GNU/Linux Index

2.6.2. Sysctl

Sysctl references Arch TCP/IP stack hardening, Cyberciti Nginx Hardning, Cyberciti Security Hardening.

        #
        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
        #

        kernel.printk = 7 1 1 4

        kernel.randomize_va_space = 2

        # Shared Memory
        #kernel.shmmax = 500000000
        # Total allocated file handlers that can be allocated
        # fs.file-nr=
        vm.mmap_min_addr=65536

        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
        kernel.pid_max = 65536

        #Yama LSM by default
        kernel.yama.ptrace_scope = 1

        #
        # Filesystem Protections
        #

        # Optimization for port usefor LBs
        # Increase system file descriptor limit
        fs.file-max = 65535

        # Hide symbol addresses in /proc/kallsyms
        kernel.kptr_restrict = 2

        #
        # Network Protections
        #

        net.core.bpf_jit_enable = 0

        # Increase Linux auto tuning TCP buffer limits
        # min, default, and max number of bytes to use
        # set max to at least 4MB, or higher if you use very high BDP paths
        # Tcp Windows etc
        net.core.rmem_max = 8388608
        net.core.wmem_max = 8388608
        net.core.netdev_max_backlog = 5000
        net.ipv4.tcp_window_scaling = 1

        #A sequence of SACKs may be crafted such that one can trigger an integer overflow, leading to a kernel panic.
        net.ipv4.tcp_sack = 0

        # Both ports linux-blob and linux-libre don't build with ipv6
        # Disable ipv6
        net.ipv6.conf.all.disable_ipv6 = 1
        net.ipv6.conf.default.disable_ipv6 = 1
        net.ipv6.conf.lo.disable_ipv6 = 1

        # Tuen IPv6
        #net.ipv6.conf.default.router_solicitations = 0
        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
        #net.ipv6.conf.default.accept_ra_pinfo = 0
        #net.ipv6.conf.default.accept_ra_defrtr = 0
        #net.ipv6.conf.default.autoconf = 0
        #net.ipv6.conf.default.dad_transmits = 0
        #net.ipv6.conf.default.max_addresses = 0

        # Avoid a smurf attack, ping scanning
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # Turn on protection for bad icmp error messages
        net.ipv4.icmp_ignore_bogus_error_responses = 1

        # Turn on syncookies for SYN flood attack protection
        net.ipv4.tcp_syncookies = 1

        ## protect against tcp time-wait assassination hazards
        ## drop RST packets for sockets in the time-wait state
        ## (not widely supported outside of linux, but conforms to RFC)
        net.ipv4.tcp_rfc1337 = 1

        ## tcp timestamps
        ## + protect against wrapping sequence numbers (at gigabit speeds)
        ## + round trip time calculation implemented in TCP
        ## - causes extra overhead and allows uptime detection by scanners like nmap
        ## enable @ gigabit speeds
        net.ipv4.tcp_timestamps = 0
        #net.ipv4.tcp_timestamps = 1

        # Turn on and log spoofed, source routed, and redirect packets
        net.ipv4.conf.all.log_martians = 1
        net.ipv4.conf.default.log_martians = 1

        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        ## sets the kernels reverse path filtering mechanism to value 1(on)
        ## will do source validation of the packet's recieved from all the interfaces on the machine
        ## protects from attackers that are using ip spoofing methods to do harm
        net.ipv4.conf.all.rp_filter = 1
        net.ipv4.conf.default.rp_filter = 1
        #net.ipv6.conf.default.rp_filter = 1
        #net.ipv6.conf.all.rp_filter = 1


        # Make sure no one can alter the routing tables
        # Act as a router, necessary for Access Point
        net.ipv4.conf.all.accept_redirects = 0
        net.ipv4.conf.default.accept_redirects = 0
        net.ipv4.conf.all.secure_redirects = 0
        net.ipv4.conf.default.secure_redirects = 0
        # No source routed packets here
        # Discard packets with source routes, ip spoofing
        net.ipv4.conf.all.accept_source_route = 0
        net.ipv4.conf.default.accept_source_route = 0


        net.ipv4.conf.all.send_redirects = 0
        net.ipv4.conf.default.send_redirects = 0

        net.ipv4.ip_forward = 0

        # Increase system IP port limits
        net.ipv4.ip_local_port_range = 2000 65000

        # Increase TCP max buffer size setable using setsockopt()
        net.ipv4.tcp_rmem = 4096 87380 8388608
        net.ipv4.tcp_wmem = 4096 87380 8388608

        # Disable proxy_arp
        net.ipv4.conf.default.proxy_arp = 0
        net.ipv4.conf.all.proxy_arp = 0

        # Disable bootp_relay
        net.ipv4.conf.default.bootp_relay = 0
        net.ipv4.conf.all.bootp_relay = 0

        # Decrease TCP fin timeout
        net.ipv4.tcp_fin_timeout = 30
        # Decrease TCP keep alive time
        net.ipv4.tcp_keepalive_time = 1800
        # Sen SynAck retries to 3
        net.ipv4.tcp_synack_retries = 3

        # End of file

Reload sysctl settings;

        # sysctl --system
GNU/Linux Index

This is part of the LeetIO System Documentation. Copyright (C) 2021 LeetIO Team. See the file Gnu Free Documentation License for copying conditions.