Last active
October 14, 2022 01:00
-
-
Save janeczku/bebd3e5cdc02b4ae111c to your computer and use it in GitHub Desktop.
BASIC SYSCTL CONFIG
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## disable ipv6 | |
#net.ipv6.conf.all.disable_ipv6=1 | |
#net.ipv6.conf.default.disable_ipv6=1 | |
#net.ipv6.conf.lo.disable_ipv6=1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### IMPROVE SYSTEM MEMORY MANAGEMENT | |
#################################### | |
# Do less swapping | |
vm.swappiness = 10 | |
# Redis fix | |
vm.overcommit_memory=1 | |
### TUNING NETWORK PERFORMANCE | |
############################## | |
# Decrease the time default value for tcp_fin_timeout connection | |
net.ipv4.tcp_fin_timeout = 30 | |
# Decrease the time default value for connections to keep alive | |
net.ipv4.tcp_keepalive_time = 300 | |
net.ipv4.tcp_keepalive_probes = 5 | |
net.ipv4.tcp_keepalive_intvl = 15 | |
## Concurrent connections | |
net.netfilter.nf_conntrack_max = 65536 | |
net.nf_conntrack_max = 65536 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### KERNEL | |
########## | |
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms, | |
# /proc/modules, etc), and this setting can censor the addresses. A value | |
# of "0" allows all users to see the kernel addresses. A value of "1" | |
# limits visibility to the root user, and "2" blocks even the root user. | |
kernel.kptr_restrict = 1 | |
# randomizes addresses of mmap base, heap, stack and VDSO page | |
kernel.randomize_va_space = 2 | |
### Filesystem | |
############### | |
# These settings eliminate an entire class of security vulnerability: | |
# time-of-check-time-of-use cross-privilege attacks using guessable | |
# filenames (generally seen as "/tmp file race" vulnerabilities). | |
fs.protected_hardlinks = 1 | |
fs.protected_symlinks = 1 | |
fs.suid_dumpable = 0 | |
### NETWORK | |
########### | |
## Uncomment the next line to enable packet forwarding for IPv4 | |
## Must be enabled for Docker daemon | |
net.ipv4.ip_forward=1 | |
## Uncomment the next line to enable packet forwarding for IPv6 | |
## Enabling this option disables Stateless Address Autoconfiguration | |
## based on Router Advertisements for this host | |
#net.ipv6.conf.all.forwarding=1 | |
## Turn on SYN-flood protections. Starting with 2.6.26, there is no loss | |
## of TCP functionality/features under normal conditions. When flood | |
## protections kick in under high unanswered-SYN load, the system | |
## should remain more stable, with a trade off of some loss of TCP | |
## functionality/features (e.g. TCP Window scaling). | |
net.ipv4.tcp_syncookies=1 | |
## Aditional SYN-flood mitigation. Disable if problems arise. | |
net.ipv4.tcp_syn_retries = 2 | |
net.ipv4.tcp_synack_retries = 2 | |
net.ipv4.tcp_max_syn_backlog = 2048 | |
## protect against tcp time-wait assassination hazards | |
## drop RST packets for sockets in the time-wait state | |
## (not widely supported outside of linux, but conforms to RFC) | |
net.ipv4.tcp_rfc1337 = 1 | |
## sets the kernels reverse path filtering mechanism to value 1(on) | |
## will do source validation of the packet's recieved from all the interfaces on the machine | |
## protects from attackers that are using ip spoofing methods to do harm | |
net.ipv4.conf.all.rp_filter = 1 | |
net.ipv6.conf.all.rp_filter = 1 | |
## These might cause problems with Docker | |
########################################## | |
## Do not send ICMP redirects (we are not a router) | |
net.ipv4.conf.all.send_redirects = 0 | |
## Do not accept IP source route packets (we are not a router) | |
net.ipv4.conf.all.accept_source_route = 0 | |
# Don't relay bootp | |
net.ipv4.conf.all.bootp_relay = 0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment