Last active
May 15, 2024 20:37
-
-
Save DavidOsipov/cdf61fccc8cc6924dffa15e90f1bfbb9 to your computer and use it in GitHub Desktop.
Ubuntu 22.04 small VPN server (1 CPU 2 GB) sysctl.conf hardened file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/sysctl.conf - Configuration file for setting system variables | |
# See /etc/sysctl.d/ for additional system variables. | |
# See sysctl.conf (5) for information. | |
####################### General Kernel Parameters ####################### | |
#kernel.domainname = example.com | |
#kernel.printk = 3 4 1 3 # Uncomment to stop low-level messages on console | |
####################### Kernel Hardening Parameters ##################### | |
kernel.sysrq = 0 | |
kernel.dmesg_restrict = 1 | |
kernel.kexec_load_disabled = 1 | |
kernel.yama.ptrace_scope = 1 | |
net.core.bpf_jit_harden = 2 | |
kernel.unprivileged_bpf_disabled = 1 | |
kernel.unprivileged_userns_clone=0 | |
kernel.kptr_restrict = 2 | |
kernel.perf_event_paranoid = 3 | |
kernel.core_uses_pid = 1 | |
fs.protected_fifos = 2 | |
fs.protected_regular = 2 | |
dev.tty.ldisc_autoload = 0 | |
vm.unprivileged_userfaultfd = 0 | |
fs.suid_dumpable = 0 | |
kernel.core_pattern = |/bin/false | |
fs.protected_symlinks = 1 | |
fs.protected_hardlinks = 1 | |
kernel.randomize_va_space = 2 | |
kernel.panic = 10 | |
kernel.panic_on_oops = 1 | |
######################### Network Security ############################# | |
# Spoof Protection | |
net.ipv4.conf.default.rp_filter = 1 | |
net.ipv4.conf.all.rp_filter = 1 | |
net.ipv4.tcp_rfc1337 = 1 | |
# TCP/IP SYN cookies | |
net.ipv4.tcp_syncookies = 1 | |
# ICMP Settings | |
net.ipv4.icmp_echo_ignore_all = 1 | |
net.ipv4.conf.default.secure_redirects = 0 | |
net.ipv4.conf.all.secure_redirects = 0 | |
net.ipv4.conf.all.send_redirects = 0 | |
# Packet Forwarding | |
net.ipv4.ip_forward = 1 | |
net.ipv6.conf.all.forwarding = 1 | |
net.ipv6.conf.default.forwarding = 1 | |
net.ipv6.conf.default.accept_redirects = 0 | |
# Enabling SACK | |
net.ipv4.tcp_sack = 1 | |
net.ipv4.tcp_dsack = 1 | |
net.ipv4.tcp_fack = 1 | |
net.ipv4.tcp_timestamps = 1 | |
# Adjust TCP keepalive settings | |
net.ipv4.tcp_keepalive_time = 900 | |
net.ipv4.tcp_keepalive_probes = 5 | |
net.ipv4.tcp_keepalive_intvl = 15 | |
# Redirection & Attacks Protection | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv6.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
net.ipv4.tcp_synack_retries = 2 | |
# Source Route Packets & Martian Packets | |
net.ipv4.conf.all.accept_source_route = 0 | |
net.ipv6.conf.all.accept_source_route = 0 | |
net.ipv6.conf.default.accept_source_route = 0 | |
net.ipv4.conf.default.accept_source_route = 0 | |
net.ipv4.conf.all.log_martians = 1 | |
net.ipv4.conf.default.log_martians = 1 | |
# Set ARP table thresholds to prevent overflow | |
net.ipv4.neigh.default.gc_thresh1 = 128 | |
net.ipv4.neigh.default.gc_thresh2 = 512 | |
net.ipv4.neigh.default.gc_thresh3 = 1024 | |
net.ipv4.neigh.default.gc_interval = 30 | |
# Prevent ARP and BOOTP related attacks | |
net.ipv4.conf.all.proxy_arp = 0 | |
net.ipv4.conf.all.bootp_relay = 0 | |
net.ipv4.conf.all.arp_ignore = 1 | |
net.ipv4.conf.all.arp_announce = 2 | |
net.ipv4.conf.default.arp_ignore = 1 | |
net.ipv4.conf.default.arp_announce = 2 | |
# Ensure no proxy ARP responses are sent | |
net.ipv4.conf.default.proxy_arp = 0 | |
# Enable Explicit Congestion Notification | |
net.ipv4.tcp_ecn = 1 | |
###################### Network Performance Tuning ###################### | |
net.ipv4.tcp_congestion_control = bbr | |
net.ipv4.tcp_notsent_lowat = 16384 | |
net.ipv4.tcp_max_syn_backlog = 2048 | |
net.ipv4.tcp_max_tw_buckets = 50000 | |
net.ipv4.tcp_low_latency = 1 | |
net.ipv4.tcp_fastopen = 3 | |
net.ipv4.tcp_fastopen = 1024 | |
net.core.somaxconn = 1024 | |
net.ipv4.tcp_tw_reuse = 1 | |
net.ipv4.tcp_max_orphans = 16384 | |
# Optimize TCP and UDP buffers | |
net.core.rmem_max = 16777216 | |
net.core.wmem_max = 16777216 | |
net.ipv4.tcp_rmem = 8192 43690 16777216 | |
net.ipv4.tcp_wmem = 8192 32768 16777216 | |
net.ipv4.udp_rmem_min = 16384 | |
net.ipv4.udp_wmem_min = 16384 | |
net.core.rmem_default = 262144 | |
net.core.wmem_default = 262144 | |
# Enable TCP window scaling | |
net.ipv4.tcp_window_scaling = 1 | |
# Use fair queueing to manage packets | |
net.core.default_qdisc = fq | |
# Set TCP FIN timeout to free up the TCP connection slots faster | |
net.ipv4.tcp_fin_timeout = 15 | |
# Decrease the retry count for initial SYN, reducing resources spent on unreachable hosts | |
net.ipv4.tcp_syn_retries = 2 | |
# Enhanced handling of network traffic | |
net.core.netdev_max_backlog = 32768 | |
net.core.dev_weight = 64 | |
# Do not cache ssthresh from previous connection, and moderate the receive buffer | |
net.ipv4.tcp_no_metrics_save = 1 | |
net.ipv4.tcp_moderate_rcvbuf = 1 | |
# Limit the maximum memory used to reassemble IP fragments | |
net.ipv4.ipfrag_low_thresh = 196608 | |
net.ipv6.ip6frag_low_thresh = 196608 | |
net.ipv4.ipfrag_high_thresh = 262144 | |
net.ipv6.ip6frag_high_thresh = 262144 | |
# Increase size of RPC datagram queue length | |
net.unix.max_dgram_qlen = 50 | |
# Increase TCP queue length | |
net.ipv4.neigh.default.proxy_qlen = 96 | |
net.ipv4.neigh.default.unres_qlen = 6 | |
# How many times to retry killing an alive TCP connection | |
net.ipv4.tcp_retries2 = 15 | |
net.ipv4.tcp_retries1 = 3 | |
# Avoid falling back to slow start after a connection goes idle | |
net.ipv4.tcp_slow_start_after_idle = 0 | |
# Increase the maximum amount of option memory buffers | |
net.core.optmem_max = 25165824 | |
# Increase the maximum total buffer-space allocatable | |
net.ipv4.tcp_mem = 65536 131072 262144 | |
net.ipv4.udp_mem = 65536 131072 262144 | |
########################### IPv6 Configuration ########################## | |
# Allow IPv6 | |
net.ipv6.conf.default.disable_ipv6 = 0 | |
net.ipv6.conf.all.disable_ipv6 = 0 | |
# Accept RA | |
net.ipv6.conf.all.accept_ra = 0 | |
net.ipv6.conf.default.accept_ra = 0 | |
####################### Virtual Memory Configuration #################### | |
# Increase size of file handles and inode cache | |
fs.file-max = 2097152 | |
# Do less swapping | |
vm.swappiness = 10 | |
vm.dirty_ratio = 60 | |
vm.dirty_background_ratio = 2 | |
# Increase pressure to reclaim memory from directory and inode caches | |
vm.vfs_cache_pressure = 50 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment