Skip to content

Instantly share code, notes, and snippets.

@janeczku

janeczku/10-disable-ipv6.conf

Last active October 14, 2022 01:00
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save janeczku/bebd3e5cdc02b4ae111c to your computer and use it in GitHub Desktop.
Save janeczku/bebd3e5cdc02b4ae111c to your computer and use it in GitHub Desktop.
Download ZIP
BASIC SYSCTL CONFIG
Raw
10-disable-ipv6.conf
## disable ipv6
#net.ipv6.conf.all.disable_ipv6=1
#net.ipv6.conf.default.disable_ipv6=1
#net.ipv6.conf.lo.disable_ipv6=1
Raw
10-performance-tweaks.conf
### IMPROVE SYSTEM MEMORY MANAGEMENT
####################################
# Do less swapping
vm.swappiness = 10
# Redis fix
vm.overcommit_memory=1
### TUNING NETWORK PERFORMANCE
##############################
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
## Concurrent connections
net.netfilter.nf_conntrack_max = 65536
net.nf_conntrack_max = 65536
Raw
10-security-tweaks.conf
### KERNEL
##########
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
# /proc/modules, etc), and this setting can censor the addresses. A value
# of "0" allows all users to see the kernel addresses. A value of "1"
# limits visibility to the root user, and "2" blocks even the root user.
kernel.kptr_restrict = 1
# randomizes addresses of mmap base, heap, stack and VDSO page
kernel.randomize_va_space = 2
### Filesystem
###############
# These settings eliminate an entire class of security vulnerability:
# time-of-check-time-of-use cross-privilege attacks using guessable
# filenames (generally seen as "/tmp file race" vulnerabilities).
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.suid_dumpable = 0
### NETWORK
###########
## Uncomment the next line to enable packet forwarding for IPv4
## Must be enabled for Docker daemon
net.ipv4.ip_forward=1
## Uncomment the next line to enable packet forwarding for IPv6
## Enabling this option disables Stateless Address Autoconfiguration
## based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
## Turn on SYN-flood protections. Starting with 2.6.26, there is no loss
## of TCP functionality/features under normal conditions. When flood
## protections kick in under high unanswered-SYN load, the system
## should remain more stable, with a trade off of some loss of TCP
## functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1
## Aditional SYN-flood mitigation. Disable if problems arise.
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 2048
## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1
## sets the kernels reverse path filtering mechanism to value 1(on)
## will do source validation of the packet's recieved from all the interfaces on the machine
## protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.all.rp_filter = 1
net.ipv6.conf.all.rp_filter = 1
## These might cause problems with Docker
##########################################
## Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
## Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment