tuklusan · March 1, 2020 09:09
diff --git a/sysctl.conf b/sysctl.conf
 # --
 # /etc/sysctl.conf
 # From "Centos 7 Network Hardening: How to Protect Your Server from Basic Network Attacks using IPTABLES Firewall"
 # http://supratim-sanyal.blogspot.com/2016/09/centos-7-network-hardening-how-to_19.html
 # --
 # System default settings live in /usr/lib/sysctl.d/00-system.conf.
 # To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
 #
 # For more information, see sysctl.conf(5) and sysctl.d(5).
 net.ipv6.conf.all.disable_ipv6 = 1

 # From https://highon.coffee/blog/security-harden-centos-7/

 net.ipv4.ip_forward = 0
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.tcp_max_syn_backlog = 1280
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.log_martians = 1
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 net.ipv4.tcp_syncookies = 1
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
 net.ipv4.tcp_timestamps = 0

 # bump up size of tracked connections table
 # helps in avoiding "nf_conntrack: table full, dropping packet" errors
 net.netfilter.nf_conntrack_generic_timeout=120
 net.netfilter.nf_conntrack_max = 524288

 # misc
 fs.suid_dumpable = 0
 kernel.randomize_va_space = 2
 kernel.exec-shield = 1
 vm.overcommit_memory = 2
	# --
	# /etc/sysctl.conf
	# From "Centos 7 Network Hardening: How to Protect Your Server from Basic Network Attacks using IPTABLES Firewall"
	# http://supratim-sanyal.blogspot.com/2016/09/centos-7-network-hardening-how-to_19.html
	# --
	# System default settings live in /usr/lib/sysctl.d/00-system.conf.
	# To override those settings, enter new settings here, or in an /etc/sysctl.d/<name>.conf file
	#
	# For more information, see sysctl.conf(5) and sysctl.d(5).
	net.ipv6.conf.all.disable_ipv6 = 1

	# From https://highon.coffee/blog/security-harden-centos-7/

	net.ipv4.ip_forward = 0
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0
	net.ipv4.tcp_max_syn_backlog = 1280
	net.ipv4.icmp_echo_ignore_broadcasts = 1
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.conf.default.log_martians = 1
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv4.conf.default.secure_redirects = 0
	net.ipv4.icmp_echo_ignore_broadcasts = 1
	net.ipv4.icmp_ignore_bogus_error_responses = 1
	net.ipv4.tcp_syncookies = 1
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1
	net.ipv4.tcp_timestamps = 0

	# bump up size of tracked connections table
	# helps in avoiding "nf_conntrack: table full, dropping packet" errors
	net.netfilter.nf_conntrack_generic_timeout=120
	net.netfilter.nf_conntrack_max = 524288

	# misc
	fs.suid_dumpable = 0
	kernel.randomize_va_space = 2
	kernel.exec-shield = 1
	vm.overcommit_memory = 2