Last active
November 24, 2019 05:47
-
-
Save binhp/b536221b46bf5ac7f6ce7251fb66f2f5 to your computer and use it in GitHub Desktop.
debian rootfs security best practices
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # after update run `sudo sysctl -p` | |
| # Avoid a smurf attack | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Turn on protection for bad icmp error messages | |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| # Turn on syncookies for SYN flood attack protection | |
| net.ipv4.tcp_syncookies = 1 | |
| # Turn on and log spoofed, source routed, and redirect packets | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.default.log_martians = 1 | |
| # No source routed packets here | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Turn on reverse path filtering | |
| net.ipv4.conf.all.rp_filter = 1 | |
| net.ipv4.conf.default.rp_filter = 1 | |
| # Make sure no one can alter the routing tables | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| # Don't act as a router | |
| net.ipv4.ip_forward = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| # Turn on execshild | |
| kernel.exec-shield = 1 | |
| kernel.randomize_va_space = 1 | |
| # Tuen IPv6/disabled IPv6 | |
| net.ipv6.conf.all.disable_ipv6 = 1 | |
| net.ipv6.conf.default.router_solicitations = 0 | |
| net.ipv6.conf.default.accept_ra_rtr_pref = 0 | |
| net.ipv6.conf.default.accept_ra_pinfo = 0 | |
| net.ipv6.conf.default.accept_ra_defrtr = 0 | |
| net.ipv6.conf.default.autoconf = 0 | |
| net.ipv6.conf.default.dad_transmits = 0 | |
| net.ipv6.conf.default.max_addresses = 1 | |
| # Optimization for port usefor LBs | |
| # Increase system file descriptor limit | |
| fs.file-max = 65535 | |
| # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 | |
| kernel.pid_max = 65536 | |
| # Increase system IP port limits | |
| net.ipv4.ip_local_port_range = 2000 65000 | |
| # Increase TCP max buffer size setable using setsockopt() | |
| net.ipv4.tcp_rmem = 4096 87380 8388608 | |
| net.ipv4.tcp_wmem = 4096 87380 8388608 | |
| # Increase Linux auto tuning TCP buffer limits | |
| # min, default, and max number of bytes to use | |
| # set max to at least 4MB, or higher if you use very high BDP paths | |
| # Tcp Windows etc | |
| net.core.rmem_max = 8388608 | |
| net.core.wmem_max = 8388608 | |
| net.core.netdev_max_backlog = 5000 | |
| net.ipv4.tcp_window_scaling = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment