Last active
August 10, 2022 18:59
-
-
Save rschmitty/5875625 to your computer and use it in GitHub Desktop.
ubuntu sysctl.conf settings
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # changes from http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/ | |
| # Protect ICMP attacks | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Turn on protection for bad icmp error messages | |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| # Turn on syncookies for SYN flood attack protection | |
| net.ipv4.tcp_syncookies = 1 | |
| net.ipv4.tcp_synack_retries = 2 | |
| # Log suspcicious packets, such as spoofed, source-routed, and redirect | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.default.log_martians = 1 | |
| # Disables these ipv4 features, not very legitimate uses | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Enables RFC-reccomended source validation (dont use on a router) | |
| net.ipv4.conf.all.rp_filter = 1 | |
| net.ipv4.conf.default.rp_filter = 1 | |
| # Make sure no one can alter the routing tables | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| # Host only (we're not a router) | |
| net.ipv4.ip_forward = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| # Turn on execshild | |
| kernel.exec-shield = 1 | |
| kernel.randomize_va_space = 1 | |
| # Tune IPv6 | |
| # Number of Router Solicitations to send until assuming no routers are present. | |
| # This is host and not router | |
| net.ipv6.conf.default.router_solicitations = 0 | |
| # Accept Router Preference in RA? | |
| net.ipv6.conf.default.accept_ra_rtr_pref = 0 | |
| # Learn Prefix Information in Router Advertisement | |
| net.ipv6.conf.default.accept_ra_pinfo = 0 | |
| # Setting controls whether the system will accept Hop Limit settings from a router advertisement | |
| net.ipv6.conf.default.accept_ra_defrtr = 0 | |
| #router advertisements can cause the system to assign a global unicast address to an interface | |
| net.ipv6.conf.default.autoconf = 0 | |
| #how many neighbor solicitations to send out per address? | |
| net.ipv6.conf.default.dad_transmits = 0 | |
| # How many global unicast IPv6 addresses can be assigned to each interface? | |
| net.ipv6.conf.default.max_addresses = 1 | |
| # Optimization for port usefor LBs | |
| # Increase system file descriptor limit | |
| fs.file-max = 65535 | |
| # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 | |
| kernel.pid_max = 65536 | |
| # Increase system IP port limits | |
| net.ipv4.ip_local_port_range = 2000 65000 | |
| # Increase TCP max buffer size setable using setsockopt() | |
| #net.ipv4.tcp_rmem = 4096 87380 8388608 | |
| #net.ipv4.tcp_wmem = 4096 87380 8388608 | |
| # Increase Linux auto tuning TCP buffer limits | |
| # min, default, and max number of bytes to use | |
| # set max to at least 4MB, or higher if you use very high BDP paths | |
| #net.core.rmem_max = 8388608 | |
| #net.core.wmem_max = 8388608 | |
| #net.core.netdev_max_backlog = 5000 | |
| #net.ipv4.tcp_window_scaling = 1 | |
| # Controls the System Request debugging functionality of the kernel | |
| kernel.sysrq = 0 | |
| # Controls whether core dumps will append the PID to the core filename | |
| # Useful for debugging multi-threaded applications | |
| kernel.core_uses_pid = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment