Hardening Linux kernel for nginx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Avoid a smurf attack | |
| net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
| # Turn on protection for bad icmp error messages | |
| net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
| # Turn on syncookies for SYN flood attack protection | |
| net.ipv4.tcp_syncookies = 1 | |
| # Turn on and log spoofed, source routed, and redirect packets | |
| net.ipv4.conf.all.log_martians = 1 | |
| net.ipv4.conf.default.log_martians = 1 | |
| # No source routed packets here | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| # Turn on reverse path filtering | |
| net.ipv4.conf.all.rp_filter = 1 | |
| net.ipv4.conf.default.rp_filter = 1 | |
| # Make sure no one can alter the routing tables | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| # Don't act as a router | |
| net.ipv4.ip_forward = 0 | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| # Turn on execshild | |
| kernel.exec-shield = 1 | |
| kernel.randomize_va_space = 1 | |
| # Tuen IPv6 | |
| net.ipv6.conf.default.router_solicitations = 0 | |
| net.ipv6.conf.default.accept_ra_rtr_pref = 0 | |
| net.ipv6.conf.default.accept_ra_pinfo = 0 | |
| net.ipv6.conf.default.accept_ra_defrtr = 0 | |
| net.ipv6.conf.default.autoconf = 0 | |
| net.ipv6.conf.default.dad_transmits = 0 | |
| net.ipv6.conf.default.max_addresses = 1 | |
| # Optimization for port usefor LBs | |
| # Increase system file descriptor limit | |
| fs.file-max = 65535 | |
| # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 | |
| kernel.pid_max = 65536 | |
| # Increase system IP port limits | |
| net.ipv4.ip_local_port_range = 2000 65000 | |
| # Increase TCP max buffer size setable using setsockopt() | |
| net.ipv4.tcp_rmem = 4096 87380 8388608 | |
| net.ipv4.tcp_wmem = 4096 87380 8388608 | |
| # Increase Linux auto tuning TCP buffer limits | |
| # min, default, and max number of bytes to use | |
| # set max to at least 4MB, or higher if you use very high BDP paths | |
| # Tcp Windows etc | |
| net.core.rmem_max = 8388608 | |
| net.core.wmem_max = 8388608 | |
| net.core.netdev_max_backlog = 5000 | |
| net.ipv4.tcp_window_scaling = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is gist is created by Abhishek Ghosh for the blog article Installing WordPress With NGINX on Debian.