-
Notifications
You must be signed in to change notification settings - Fork 22
/
sysctl.conf
318 lines (244 loc) · 11 KB
/
sysctl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
# Name: K4YT3X's Hardened & Optimized Linux Kernel Parameters
# Author: K4YT3X
# Contributor: IceCodeNew
# Contributor: HorlogeSkynet
# Contributor: shenzhui007
# Date Created: October 5, 2020
# Last Updated: July 14, 2024
# Licensed under the GNU General Public License Version 3 (GNU GPL v3),
# available at: https://www.gnu.org/licenses/gpl-3.0.txt
# (C) 2020-2024 K4YT3X
# Multiple sources have been consulted while writing this configuration
# file (e.g., nixCraft's sysctl.conf). Some sources may not have been cited.
# Please refer to Linux's kernel documentations or reach out to the author
# should you have any questions or recommendations.
########## Kernel ##########
# enable ExecShield protection
# 2 enables ExecShield by default unless applications bits are set to disabled
# uncomment on systems without NX/XD protections
# check with: dmesg | grep --color '[NX|DX]*protection'
#kernel.exec-shield = 2
# enable ASLR
# turn on protection and randomize stack, vdso page and mmap + randomize brk base address
kernel.randomize_va_space = 2
# controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# controls whether core dumps will append the PID to the core filename
# useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# restrict access to kernel address
# kernel pointers printed using %pK will be replaced with 0’s regardless of privileges
kernel.kptr_restrict = 2
# Ptrace protection using Yama
# - 0 (classic): allows any process to trace any other process under the same UID
# - 1 (restricted): only a parent process can be debugged
# - 2 (admin-only): only admins can use ptrace (CAP_SYS_PTRACE capability required)
# - 3 (no attach): disables ptrace completely, reboot is required to re-enable ptrace
# the general recommendation for this setting is:
# - if you do not need to debug programs, set it to 3
# - if you need to debug programs (e.g., GDB, LLDB, strace), set it to 1
# setting it to 3 will also break LXC v6+ procfs emulation for unprivileged containers
# (see GitHub issue https://github.com/lxc/lxcfs/issues/636)
kernel.yama.ptrace_scope = 3
# restrict kernel logs to root only
kernel.dmesg_restrict = 1
# restrict BPF JIT compiler to root only
kernel.unprivileged_bpf_disabled = 1
# disables kexec as it can be used to livepatch the running kernel
kernel.kexec_load_disabled = 1
# disable unprivileged user namespaces to decrease attack surface
kernel.unprivileged_userns_clone = 0
# disable the loading of kernel modules
# this can be used to prevent runtime insertion of malicious modules
# could break the system if enabled within sysctl.conf
# consider setting this manually after system is up
# sudo sysctl -w kernel.modules_disabled=1
#kernel.modules_disabled = 1
# allow for more PIDs
# this value can be up to:
# - 32768 (2^15) on a 32-bit system
# - 4194304 (2^22) on a 64-bit system
kernel.pid_max = 4194304
# reboot machine after kernel panic
#kernel.panic = 10
# restrict perf subsystem usage
kernel.perf_event_paranoid = 3
kernel.perf_cpu_time_max_percent = 1
kernel.perf_event_max_sample_rate = 1
# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl
dev.tty.ldisc_autoload = 0
########## File System ##########
# disallow core dumping by SUID/SGID programs
fs.suid_dumpable = 0
# protect the creation of hard links
# one of the following conditions must be fulfilled
# - the user can only link to files that he or she owns
# - the user must first have read and write access to a file, that he/she wants to link to
fs.protected_hardlinks = 1
# protect the creation of symbolic links
# one of the following conditions must be fulfilled
# - the process following the symbolic link is the owner of the symbolic link
# - the owner of the directory is also the owner of the symbolic link
fs.protected_symlinks = 1
# enable extended FIFO protection
fs.protected_fifos = 2
# similar to protected_fifos, but it avoids writes to an attacker-controlled regular file
fs.protected_regular = 2
# increase system file descriptor limit
# this value can be up to:
# - 2147483647 (0x7fffffff) on a 32-bit system
# - 9223372036854775807 (0x7fffffffffffffff) on a 64-bit system
# be aware that the Linux kernel documentation suggests that inode-max should be 3-4 times
# larger than this value
fs.file-max = 9223372036854775807
# increase the amount of files that can be watched
# each file watch handle takes 1080 bytes
# up to 540 MiB of memory will be consumed if all 524288 handles are used
fs.inotify.max_user_watches = 524288
########## Virtualization ##########
# do not allow mmap in lower addresses
vm.mmap_min_addr = 65536
# improve mmap ASLR effectiveness
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16
# prevent unprivileged users from accessing userfaultfd
# restricts syscall to the privileged users or the CAP_SYS_PTRACE capability
vm.unprivileged_userfaultfd = 0
########## Networking ##########
# increase the maximum length of processor input queues
net.core.netdev_max_backlog = 250000
# enable BPF JIT hardening for all users
# this trades off performance, but can mitigate JIT spraying
net.core.bpf_jit_harden = 2
# increase TCP max buffer size settable using setsockopt()
net.core.rmem_default = 8388608
net.core.wmem_default = 8388608
net.core.rmem_max = 536870912
net.core.wmem_max = 536870912
net.core.optmem_max = 40960
########## IPv4 Networking ##########
# enable BBR congestion control
net.ipv4.tcp_congestion_control = bbr
# disallow IPv4 packet forwarding
net.ipv4.ip_forward = 0
# enable SYN cookies for SYN flooding protection
net.ipv4.tcp_syncookies = 1
# number of times SYNACKs for a passive TCP connection attempt will be retransmitted
net.ipv4.tcp_synack_retries = 5
# do not send redirects
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# do not accept packets with SRR option
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
# enable reverse path source validation (BCP38)
# refer to RFC1812, RFC2827, and BCP38 (http://www.bcp38.info)
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# log packets with impossible addresses to kernel log
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
# do not accept ICMP redirect messages
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
# disable sending and receiving of shared media redirects
# this setting overwrites net.ipv4.conf.all.secure_redirects
# refer to RFC1620
net.ipv4.conf.default.shared_media = 0
net.ipv4.conf.all.shared_media = 0
# always use the best local address for announcing local IP via ARP
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
# reply only if the target IP address is local address configured on the incoming interface
net.ipv4.conf.default.arp_ignore = 1
net.ipv4.conf.all.arp_ignore = 1
# drop Gratuitous ARP frames to prevent ARP poisoning
# this can cause issues when ARP proxies are used in the network
net.ipv4.conf.default.drop_gratuitous_arp = 1
net.ipv4.conf.all.drop_gratuitous_arp = 1
# ignore all ICMP echo requests
#net.ipv4.icmp_echo_ignore_all = 1
# ignore all ICMP echo and timestamp requests sent to broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
# mitigate TIME-WAIT Assassination hazards in TCP
# refer to RFC1337
net.ipv4.tcp_rfc1337 = 1
# disable TCP window scaling
# this makes the host less susceptible to TCP RST DoS attacks
# could drastically reduce throughput if latency is high
#net.ipv4.tcp_window_scaling = 0
# increase system IP port limits
net.ipv4.ip_local_port_range = 1024 65535
# TCP timestamps could provide protection against wrapped sequence numbers,
# but the host's uptime can be calculated precisely from its timestamps
# it is also possible to differentiate operating systems based on their use of timestamps
# - 0: disable TCP timestamps
# - 1: enable timestamps as defined in RFC1323 and use random offset for
# each connection rather than only using the current time
# - 2: enable timestamps without random offsets
net.ipv4.tcp_timestamps = 0
# enabling SACK can increase the throughput
# but SACK is commonly exploited and rarely used
# re-enable this if you experience issues transferring large files over SMB
net.ipv4.tcp_sack = 0
net.ipv4.tcp_dsack = 0
net.ipv4.tcp_fack = 0
# SSR could impact TCP's performance on a fixed-speed network (e.g., wired)
# but it could be helpful on a variable-speed network (e.g., LTE)
# uncomment this if you are on a fixed-speed network
net.ipv4.tcp_slow_start_after_idle = 0
# enabling MTU probing helps mitigating PMTU blackhole issues
# this may not be desirable on congested networks
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_base_mss = 1024
# increase memory thresholds to prevent packet dropping
# the maximum buffer size is 536870912 bytes (512 MiB)
net.ipv4.tcp_rmem = 8192 262144 536870912
net.ipv4.tcp_wmem = 4096 16384 536870912
# reduce the maximum window size to 128 MiB to reduce TCP receive queue collapse
# (see https://blog.cloudflare.com/optimizing-tcp-for-high-throughput-and-low-latency)
net.ipv4.tcp_adv_win_scale = -2
# limit the size of unsent bytes in the write queue to prevent bufferbloat
net.ipv4.tcp_notsent_lowat = 131072
########## IPv6 Networking ##########
# disallow IPv6 packet forwarding
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
# number of Router Solicitations to send until assuming no routers are present
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.all.router_solicitations = 0
# do not accept Router Preference from RA
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 0
# learn prefix information in router advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
# setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
# router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.autoconf = 0
# number of neighbor solicitations to send out per address
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.all.dad_transmits = 0
# number of global unicast IPv6 addresses can be assigned to each interface
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.all.max_addresses = 1
# enable IPv6 Privacy Extensions (RFC3041) and prefer the temporary address
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
# ignore IPv6 ICMP redirect messages
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# do not accept packets with SRR option
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# ignore all ICMPv6 echo requests
#net.ipv6.icmp.echo_ignore_all = 1
#net.ipv6.icmp.echo_ignore_anycast = 1
#net.ipv6.icmp.echo_ignore_multicast = 1