Last active
July 11, 2024 11:16
-
-
Save corporatepiyush/061123b340babf28d51e568b44bf9ab3 to your computer and use it in GitHub Desktop.
MacOS and Linux Optimisation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Function to set sysctl values with error handling | |
set_sysctl() { | |
sysctl -w $1=$2 | |
if [ $? -ne 0 ]; then | |
echo "Failed to set $1 to $2" | |
else | |
echo "$1 set to $2" | |
echo "$1=$2" | sudo tee -a /etc/sysctl.conf | |
fi | |
} | |
# Check if the running kernel supports kTLS | |
kernel_version=$(uname -r) | |
if [[ "$(echo $kernel_version | cut -d'.' -f1-2)" < "5.11" ]]; then | |
echo "kTLS is not supported on kernels older than 5.11. Please upgrade your kernel." | |
exit 1 | |
fi | |
# Ensure the kernel module for kTLS is loaded | |
sudo modprobe tls | |
if [ $? -ne 0 ]; then | |
echo "Failed to load kTLS module. Please check if your kernel supports kTLS." | |
exit 1 | |
fi | |
# Enable ASLR (Address Space Layout Randomization) | |
set_sysctl kernel.randomize_va_space 2 | |
# Enable kTLS (Kernel TLS) | |
set_sysctl net.ipv4.tcp_tls_enable 1 | |
# Check and install GCC if necessary | |
sudo apt-get update | |
sudo apt-get install -y gcc | |
# Secure shared memory | |
echo 'tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0' | sudo tee -a /etc/fstab | |
sudo mount -o remount,noexec,nosuid /run/shm | |
# Disable core dumps | |
set_sysctl fs.suid_dumpable 0 | |
ulimit -c 0 | |
# Enable additional kernel security features | |
set_sysctl kernel.kptr_restrict 2 | |
set_sysctl kernel.yama.ptrace_scope 1 | |
# Install and configure Uncomplicated Firewall (UFW) | |
sudo apt-get install -y ufw | |
sudo ufw default deny incoming | |
sudo ufw default allow outgoing | |
sudo ufw allow ssh | |
sudo ufw enable | |
# Disable unnecessary services | |
sudo systemctl disable rpcbind | |
sudo systemctl stop rpcbind | |
# Set SSH security features | |
sudo sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config | |
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config | |
sudo sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config | |
sudo sed -i 's/#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config | |
echo "UsePAM yes" | sudo tee -a /etc/ssh/sshd_config | |
echo "AllowUsers your_username" | sudo tee -a /etc/ssh/sshd_config | |
# Determine the correct SSH service name and restart the SSH service | |
if systemctl list-units --full -all | grep -q 'sshd.service'; then | |
sudo systemctl restart sshd | |
elif systemctl list-units --full -all | grep -q 'ssh.service'; then | |
sudo systemctl restart ssh | |
else | |
echo "SSH service not found." | |
exit 1 | |
fi | |
# Install and configure fail2ban | |
sudo apt-get install -y fail2ban | |
cat << 'EOF' | sudo tee /etc/fail2ban/jail.local | |
[sshd] | |
enabled = true | |
filter = sshd | |
action = ufw[name=SSH, port=ssh, protocol=tcp] | |
logpath = /var/log/auth.log | |
maxretry = 5 | |
EOF | |
sudo systemctl enable fail2ban | |
sudo systemctl start fail2ban | |
echo "System security hardening complete. Review /etc/sysctl.conf and /etc/ssh/sshd_config for persistent settings." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Function to set sysctl values with error handling | |
set_sysctl() { | |
sysctl $1=$2 | |
if [ $? -ne 0 ]; then | |
echo "Failed to set $1 to $2" | |
else | |
echo "$1 set to $2" | |
echo "$1=$2" >> /etc/sysctl.conf | |
fi | |
} | |
# Increase File Descriptor Limits (System-wide settings) | |
set_sysctl kern.maxfiles 1000000 | |
set_sysctl kern.maxfilesperproc 500000 | |
# Optimize Network Performance (System-wide settings) | |
set_sysctl net.inet.tcp.recvspace 1048576 | |
set_sysctl net.inet.tcp.sendspace 1048576 | |
set_sysctl net.inet.tcp.rfc1323 1 | |
set_sysctl net.inet.tcp.blackhole 2 | |
set_sysctl net.inet.udp.blackhole 1 | |
set_sysctl kern.ipc.somaxconn 4096 | |
set_sysctl kern.ipc.maxsockbuf 8388608 | |
# File System Optimization (using ZFS) (System-wide settings) | |
set_sysctl vfs.zfs.arc_max 4294967296 | |
set_sysctl vfs.zfs.arc_min 1073741824 | |
# Tuning TCP/IP Settings (System-wide settings) | |
set_sysctl net.inet.tcp.fastopen 3 | |
set_sysctl net.inet.tcp.mssdflt 1448 | |
set_sysctl net.inet.tcp.cc.algorithm htcp | |
set_sysctl net.inet.tcp.sack.enable 1 | |
set_sysctl net.inet.tcp.tso 1 # Enable TCP segmentation offloading | |
set_sysctl net.inet.tcp.lro 1 # Enable Large Receive Offload | |
# Increase Shared Memory Limits (System-wide settings) | |
set_sysctl kern.ipc.shmmax 67108864 | |
set_sysctl kern.ipc.shmall 32768 | |
# Enable kTLS (Kernel TLS) (System-wide settings) | |
set_sysctl kern.ipc.maxsockbuf 16777216 | |
set_sysctl net.inet.tcp.tls.enable 1 | |
# Enable MPTCP (Multipath TCP) (System-wide settings) | |
set_sysctl net.inet.mptcp.enable 1 | |
set_sysctl net.inet.mptcp.capable 1 | |
# Enable ASLR (Address Space Layout Randomization) | |
set_sysctl kern.elf64.aslr.enable 1 | |
set_sysctl kern.elf32.aslr.enable 1 | |
# Enable Stack Smashing Protection | |
set_sysctl kern.elf64.ssp 1 | |
set_sysctl kern.elf32.ssp 1 | |
# Enable W^X (Write XOR Execute) Memory Protection | |
set_sysctl kern.elf64.nxstack 1 | |
set_sysctl kern.elf32.nxstack 1 | |
# Disable core dumps | |
set_sysctl kern.coredump 0 | |
# Enable Securelevel (set to 1 or higher for production systems) | |
set_sysctl kern.securelevel 1 | |
# Enable IP Security (IPSec) | |
set_sysctl net.inet.ipsec.enable 1 | |
# Apply sysctl changes | |
sysctl -p /etc/sysctl.conf | |
if [ $? -ne 0 ]; then | |
echo "Failed to apply sysctl settings" | |
else | |
echo "Sysctl settings applied successfully" | |
fi | |
# Set jemalloc environment variables (Application-specific settings) | |
export MALLOC_CONF="narenas:4,dirty_decay_ms:1000,muzzy_decay_ms:1000,lg_chunk:21,lg_dirty_mult:3" | |
if [ $? -ne 0 ]; then | |
echo "Failed to set jemalloc environment variables" | |
else | |
echo "Jemalloc environment variables set successfully" | |
fi | |
# Make jemalloc settings persistent across reboots by adding to /etc/profile | |
echo 'export MALLOC_CONF="narenas:4,dirty_decay_ms:1000,muzzy_decay_ms:1000,lg_chunk:21,lg_dirty_mult:3"' >> /etc/profile | |
echo "System tuning complete. Review /etc/sysctl.conf and /etc/profile for persistent settings." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# sudo touch /etc/sysctl.conf | |
vm.swappiness = 20 | |
net.ipv4.ip_local_port_range = 10240 65535 | |
net.ipv4.tcp_rmem = 65536 1048576 8388608 | |
net.ipv4.tcp_wmem = 65536 1048576 8388608 | |
net.ipv4.tcp_mem= 1073741824 4294967296 8589934592 | |
net.core.rmem_max = 8388608 | |
net.core.wmem_max = 8388608 | |
net.core.rmem_default = 1048576 | |
net.core.wmem_default = 1048576 | |
fs.pipe-max-size = 8388608 | |
net.core.somaxconn = 32768 | |
net.core.netdev_budget = 600 | |
net.core.dev_weight = 128 | |
net.ipv4.tcp_timestamps = 0 | |
# IP Spoofing protection | |
net.ipv4.conf.all.rp_filter = 1 | |
net.ipv4.conf.default.rp_filter = 1 | |
# Ignore ICMP broadcast requests | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
# Disable source packet routing | |
net.ipv4.conf.all.accept_source_route = 0 | |
net.ipv4.conf.default.accept_source_route = 0 | |
# Disable ICMP redirect acceptance | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv6.conf.all.accept_redirects = 0 | |
net.ipv6.conf.default.accept_redirects = 0 | |
# Enable IP spoofing protection | |
net.ipv4.conf.all.rp_filter = 1 | |
net.ipv4.conf.default.rp_filter = 1 | |
# Log Martian Packets | |
net.ipv4.conf.all.log_martians = 1 | |
net.ipv4.conf.default.log_martians = 1 | |
# Disable IPv6 | |
net.ipv6.conf.all.disable_ipv6 = 1 | |
net.ipv6.conf.default.disable_ipv6 = 1 | |
# Disable acceptance of router advertisements | |
net.ipv6.conf.all.accept_ra = 0 | |
net.ipv6.conf.default.accept_ra = 0 | |
# sudo sysctl -p |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Define paths | |
SYSCTL_SCRIPT_PATH="$HOME/set_sysctl_params.sh" | |
PLIST_PATH="/Library/LaunchDaemons/com.user.setsysctlparams.plist" | |
# Create the shell script for setting sysctl parameters | |
echo "Creating sysctl script at $SYSCTL_SCRIPT_PATH" | |
cat << 'EOF' > "$SYSCTL_SCRIPT_PATH" | |
#!/bin/bash | |
sysctl kern.sysv.shmmax=134217728 | |
sysctl kern.sysv.shmmin=1 | |
sysctl kern.sysv.shmmni=1048576 | |
sysctl kern.sysv.shmseg=1024 | |
sysctl kern.sysv.shmall=1048576 | |
sysctl kern.ipc.somaxconn=32767 | |
sysctl kern.maxfiles=1048576 | |
sysctl kern.maxvnodes=1048576 | |
sysctl kern.maxfilesperproc=8192 | |
sysctl kern.ipc.maxsockbuf=134217728 | |
sysctl net.inet.tcp.delayed_ack=0 | |
sysctl net.inet.ip.forwarding=0 | |
sysctl net.inet.icmp.bmcastecho=0 | |
sysctl net.inet.tcp.blackhole=2 | |
sysctl net.inet.udp.blackhole=1 | |
sysctl net.inet.tcp.msl=3000 | |
sysctl net.inet.tcp.mssdflt=1460 | |
sysctl net.inet.tcp.win_scale_factor=2 | |
sysctl net.inet.tcp.sendspace=1048576 | |
sysctl net.inet.tcp.recvspace=1048576 | |
sysctl net.inet.tcp.autorcvbufmax=134217728 | |
sysctl net.inet.tcp.autosndbufmax=134217728 | |
sysctl net.inet.ip.portrange.first=32768 | |
sysctl net.inet.ip.portrange.last=65535 | |
EOF | |
# Make the shell script executable | |
echo "Making the sysctl script executable" | |
chmod +x "$SYSCTL_SCRIPT_PATH" | |
# Verify the script creation | |
if [ ! -f "$SYSCTL_SCRIPT_PATH" ]; then | |
echo "Failed to create the sysctl script" | |
exit 1 | |
fi | |
# Create the LaunchDaemon plist file | |
echo "Creating LaunchDaemon plist at $PLIST_PATH" | |
sudo tee "$PLIST_PATH" > /dev/null << EOF | |
<?xml version="1.0" encoding="UTF-8"?> | |
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
<plist version="1.0"> | |
<dict> | |
<key>Label</key> | |
<string>com.user.setsysctlparams</string> | |
<key>ProgramArguments</key> | |
<array> | |
<string>/bin/bash</string> | |
<string>$SYSCTL_SCRIPT_PATH</string> | |
</array> | |
<key>RunAtLoad</key> | |
<true/> | |
<key>KeepAlive</key> | |
<true/> | |
</dict> | |
</plist> | |
EOF | |
# Set proper permissions for the plist file | |
echo "Setting permissions for the plist file" | |
sudo chmod 644 "$PLIST_PATH" | |
# Verify the plist creation | |
if [ ! -f "$PLIST_PATH" ]; then | |
echo "Failed to create the plist file" | |
exit 1 | |
fi | |
# Load the LaunchDaemon | |
echo "Loading the LaunchDaemon" | |
sudo launchctl unload "$PLIST_PATH" | |
sudo launchctl load "$PLIST_PATH" | |
# Check for errors | |
if [ $? -eq 0 ]; then | |
echo "Setup complete. The sysctl parameters will be set at startup." | |
else | |
echo "Failed to load the LaunchDaemon. Please check the plist file and permissions." | |
echo "Contents of the plist file:" | |
cat "$PLIST_PATH" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment