rhemz · November 2, 2018 14:55
diff --git a/gistfile1.txt b/gistfile1.txt
 # /etc/sysctl.conf
 # '/sbin/sysctl -a' to enumerate all possible parameters.

 # ======================================================================
 # DoD Security Technical Implementation Guide (STIG) settings
 #
 # STIG SV-50312r2
 # Controls IP packet forwarding
 net.ipv4.ip_forward = 0

 # STIG SV-50343r2 SV-50345r2
 # Controls source route verification -- enabling reverse path filtering
 # drops packets with source addresses that should not have been able to be
 # received on the interface they were received on.
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1

 # STIG SV-50329r2
 # Log spoofed packets plus all packets with impossible addresses
 net.ipv4.conf.all.log_martians = 1

 # STIG SV-50324r2 SV-50325r2 SV-50327r2 SV-50330r2 SV-50333r2 SV-50334r3
 # Do not accept source routing or ICMP redirects
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.default.secure_redirects = 0

 # STIG SV-50336r2
 # Ignoring ICMP echo requests (pings) sent to {broad,multi}cast addresses
 # makes the system slightly more difficult to enumerate on the network
 net.ipv4.icmp_echo_ignore_broadcasts = 1

 # STIG SV-50338r2
 # Ignoring bogus ICMP error responses reduces log size
 net.ipv4.icmp_ignore_bogus_error_responses = 1

 # STIG SV-50401r2 SV-50402r2
 # Sending ICMP redirects permits the system to instruct other systems
 # to update their routing information
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.conf.all.send_redirects = 0

 # STIG SV-50349r3
 # Illicit ICMP redirect message could result in a man-in-the-middle attack
 net.ipv6.conf.default.accept_redirects = 0

 # STIG SV-50340r2
 # Controls the use of TCP syncookies
 net.ipv4.tcp_syncookies = 1

 # ======================================================================
 # Local settings
 #
 # DEFAULT INTERRUPTS:
 # net.core.netdev_budget = 300
 #
 # If the software interrupt doesn't process packets for a long time, it
 # may cause the NIC buffer to overflow and, hence, can cause packet loss.
 # netdev_budget shows the default value of the time period for which
 # softirq should run.
 #
 # The default value should be 300 and may have to be increased to 600
 # if you have a high network load or a 10Gbps (and above) system.
 net.core.netdev_budget = 600

 # ----------------------------------------------------------------------
 # DEFAULT SOCKET BUFFER SIZES:
 # net.core.rmem_default = 212992
 # net.core.rmem_max     = 212992
 # net.core.wmem_default = 212992
 # net.core.wmem_max     = 212992
 #
 # These parameters show default and maximum write (receiving) and read
 # (sending) buffer size allocated to any type of connection.  The default
 # value set is always a little low since the allocated space is taken from
 # the RAM.  Increasing this may improve performance for systems running
 # servers like NFS.
 net.core.rmem_default = 16777216
 net.core.wmem_default = 16777216
 net.core.rmem_max = 16777216
 net.core.wmem_max = 16777216

 # ----------------------------------------------------------------------
 # DEFAULT MAXIMUM PENDING CONNECTIONS:
 # net.core.somaxconn = 128
 #
 # An application can specify the maximum number of pending requests to
 # put in queue before processing one connection.  When this value reaches
 # the maximum, further connections start to drop out.  For applications
 # like a Web server, which issue lots of connections, this value has
 # to be high for these to work properly.
 net.core.somaxconn = 2048

 # ----------------------------------------------------------------------
 # DEFAULT TCP FIN TIMEOUT:
 # net.ipv4.tcp_fin_timeout = 60
 #
 # In a TCP connection, both sides must independently close the connection.
 # Linux TCP sends a FIN packet to close the connection and waits for FINACK
 # till the defined time mentioned in net.ipv4.tcp_fin_timeout.  The default
 # value (60) is quite high, and can be decreased to 20 or 30 to let TCP
 # close the connection and free resources for another one.
 net.ipv4.tcp_fin_timeout = 20

 # ----------------------------------------------------------------------
 # DEFAULT KERNEL BUFFER SIZES:
 # net.ipv4.tcp_rmem = 4096  87380  6291456
 # net.ipv4.tcp_wmem = 4096  16384  4194304
 #
 # This setting allocates space up to the maximum value, in case you need to
 # increase the maximum buffer size if you find the kernel buffer is your
 # bottleneck.  The average value need not be changed, but the maximum value
 # will have to be set to higher than the BDP (bandwidth delay product) for
 # maximum throughput.
 #
 # BDP = Bandwidth (B/sec) * RTT (seconds), where RTT (round trip time) can
 # be calculated by pinging to any other system and finding the average time
 # in seconds.
 net.ipv4.tcp_rmem = 65535 131072 16777216
 net.ipv4.tcp_wmem = 65535 131072 16777216

 # ----------------------------------------------------------------------
 # DEFAULT RETRY TIMES:
 # net.ipv4.tcp_syn_retries = 6
 # net.ipv4.tcp_synack_retries = 5
 #
 # Only retry creating TCP connections twice;
 # minimize the time it takes for a connection attempt to fail.
 net.ipv4.tcp_syn_retries = 2
 net.ipv4.tcp_synack_retries = 2

 # ----------------------------------------------------------------------
 # DEFAULT STARTUP TIME:
 # net.ipv4.tcp_slow_start_after_idle = 1
 #
 # Avoid falling back to slow start after a connection goes idle.
 net.ipv4.tcp_slow_start_after_idle = 0

 # ----------------------------------------------------------------------
 # DEFAULT TIME-WAIT SOCKET REUSE:
 # net.ipv4.tcp_tw_reuse = 0
 #
 # Allow reuse of sockets in TIME_WAIT state for new connections
 # only when it is safe from the network stack's perspective.
 net.ipv4.tcp_tw_reuse = 1

 # EOF ------------------------------------------------------------------
	# /etc/sysctl.conf
	# '/sbin/sysctl -a' to enumerate all possible parameters.

	# ======================================================================
	# DoD Security Technical Implementation Guide (STIG) settings
	#
	# STIG SV-50312r2
	# Controls IP packet forwarding
	net.ipv4.ip_forward = 0

	# STIG SV-50343r2 SV-50345r2
	# Controls source route verification -- enabling reverse path filtering
	# drops packets with source addresses that should not have been able to be
	# received on the interface they were received on.
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1

	# STIG SV-50329r2
	# Log spoofed packets plus all packets with impossible addresses
	net.ipv4.conf.all.log_martians = 1

	# STIG SV-50324r2 SV-50325r2 SV-50327r2 SV-50330r2 SV-50333r2 SV-50334r3
	# Do not accept source routing or ICMP redirects
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv4.conf.default.secure_redirects = 0

	# STIG SV-50336r2
	# Ignoring ICMP echo requests (pings) sent to {broad,multi}cast addresses
	# makes the system slightly more difficult to enumerate on the network
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# STIG SV-50338r2
	# Ignoring bogus ICMP error responses reduces log size
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# STIG SV-50401r2 SV-50402r2
	# Sending ICMP redirects permits the system to instruct other systems
	# to update their routing information
	net.ipv4.conf.default.send_redirects = 0
	net.ipv4.conf.all.send_redirects = 0

	# STIG SV-50349r3
	# Illicit ICMP redirect message could result in a man-in-the-middle attack
	net.ipv6.conf.default.accept_redirects = 0

	# STIG SV-50340r2
	# Controls the use of TCP syncookies
	net.ipv4.tcp_syncookies = 1

	# ======================================================================
	# Local settings
	#
	# DEFAULT INTERRUPTS:
	# net.core.netdev_budget = 300
	#
	# If the software interrupt doesn't process packets for a long time, it
	# may cause the NIC buffer to overflow and, hence, can cause packet loss.
	# netdev_budget shows the default value of the time period for which
	# softirq should run.
	#
	# The default value should be 300 and may have to be increased to 600
	# if you have a high network load or a 10Gbps (and above) system.
	net.core.netdev_budget = 600

	# ----------------------------------------------------------------------
	# DEFAULT SOCKET BUFFER SIZES:
	# net.core.rmem_default = 212992
	# net.core.rmem_max = 212992
	# net.core.wmem_default = 212992
	# net.core.wmem_max = 212992
	#
	# These parameters show default and maximum write (receiving) and read
	# (sending) buffer size allocated to any type of connection. The default
	# value set is always a little low since the allocated space is taken from
	# the RAM. Increasing this may improve performance for systems running
	# servers like NFS.
	net.core.rmem_default = 16777216
	net.core.wmem_default = 16777216
	net.core.rmem_max = 16777216
	net.core.wmem_max = 16777216

	# ----------------------------------------------------------------------
	# DEFAULT MAXIMUM PENDING CONNECTIONS:
	# net.core.somaxconn = 128
	#
	# An application can specify the maximum number of pending requests to
	# put in queue before processing one connection. When this value reaches
	# the maximum, further connections start to drop out. For applications
	# like a Web server, which issue lots of connections, this value has
	# to be high for these to work properly.
	net.core.somaxconn = 2048

	# ----------------------------------------------------------------------
	# DEFAULT TCP FIN TIMEOUT:
	# net.ipv4.tcp_fin_timeout = 60
	#
	# In a TCP connection, both sides must independently close the connection.
	# Linux TCP sends a FIN packet to close the connection and waits for FINACK
	# till the defined time mentioned in net.ipv4.tcp_fin_timeout. The default
	# value (60) is quite high, and can be decreased to 20 or 30 to let TCP
	# close the connection and free resources for another one.
	net.ipv4.tcp_fin_timeout = 20

	# ----------------------------------------------------------------------
	# DEFAULT KERNEL BUFFER SIZES:
	# net.ipv4.tcp_rmem = 4096 87380 6291456
	# net.ipv4.tcp_wmem = 4096 16384 4194304
	#
	# This setting allocates space up to the maximum value, in case you need to
	# increase the maximum buffer size if you find the kernel buffer is your
	# bottleneck. The average value need not be changed, but the maximum value
	# will have to be set to higher than the BDP (bandwidth delay product) for
	# maximum throughput.
	#
	# BDP = Bandwidth (B/sec) * RTT (seconds), where RTT (round trip time) can
	# be calculated by pinging to any other system and finding the average time
	# in seconds.
	net.ipv4.tcp_rmem = 65535 131072 16777216
	net.ipv4.tcp_wmem = 65535 131072 16777216

	# ----------------------------------------------------------------------
	# DEFAULT RETRY TIMES:
	# net.ipv4.tcp_syn_retries = 6
	# net.ipv4.tcp_synack_retries = 5
	#
	# Only retry creating TCP connections twice;
	# minimize the time it takes for a connection attempt to fail.
	net.ipv4.tcp_syn_retries = 2
	net.ipv4.tcp_synack_retries = 2

	# ----------------------------------------------------------------------
	# DEFAULT STARTUP TIME:
	# net.ipv4.tcp_slow_start_after_idle = 1
	#
	# Avoid falling back to slow start after a connection goes idle.
	net.ipv4.tcp_slow_start_after_idle = 0

	# ----------------------------------------------------------------------
	# DEFAULT TIME-WAIT SOCKET REUSE:
	# net.ipv4.tcp_tw_reuse = 0
	#
	# Allow reuse of sockets in TIME_WAIT state for new connections
	# only when it is safe from the network stack's perspective.
	net.ipv4.tcp_tw_reuse = 1

	# EOF ------------------------------------------------------------------