Linux kernel

Sysctl

 

  • zapnuti ochrany kernelu (execshield)
kernel.exec-shield=1
kernel.randomize_va_space=1
  • zapnuti ochrany proti IP spoofing (dropuje pakety co prijdou na rozhrani a maj adresu z jiny site nez mit maji)
net.ipv4.conf.all.rp_filter=1
  1. 256 KB default performs well experimentally, and is often recommended by ISVs.

net.core.rmem_default = 262144 net.core.wmem_default = 262144

  1. When opening a high-bandwidth connection while the receiving end is under
  2. memory pressure, disk I/O may be necessary to free memory for the socket,
  3. making disk latency the effective latency for the bandwidth-delay product
  4. initially. For 10 Gb ethernet and SCSI, the BDP is about 5 MB. Allow 8 MB
  5. to account for overhead, to ensure that new sockets can saturate the medium
  6. quickly.

net.core.rmem_max = 8388608 net.core.wmem_max = 8388608

  1. Allow a deep backlog for 10 Gb and bonded Gb ethernet connections

net.core.netdev_max_backlog = 10000

  1. Always have one page available, plus an extra for overhead, to ensure TCP NFS
  2. pageout doesn't stall under memory pressure. Default to max unscaled window,
  3. plus overhead for rmem, since most LAN sockets won't need to scale.

net.ipv4.tcp_rmem = 8192 87380 8388608 net.ipv4.tcp_wmem = 8192 65536 8388608

  1. Always have enough memory available on a UDP socket for an 8k NFS request,
  2. plus overhead, to prevent NFS stalling under memory pressure. 16k is still
  3. low enough that memory fragmentation is unlikely to cause problems.

net.ipv4.udp_rmem_min = 16384 net.ipv4.udp_wmem_min = 16384

  1. Ensure there's enough memory to actually allocate those massive buffers to a
  2. socket.

net.ipv4.tcp_mem = 8388608 12582912 16777216 net.ipv4.udp_mem = 8388608 12582912 16777216

sysctl.conf For any parameter that begins with /proc/sys/, including it in the /etc/sysctl.conf file will make the parameter persistent.

# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 4 4 1 7

##############################################################3
# Functions previously found in netbase
#

#  Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1 
# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167),
# and is not recommended.
#net.ipv4.tcp_syncookies=1 

# Uncomment the next l ine to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1 

# Uncomment the next line to enable packet forwarding for IPv6
#net.ipv6.conf.all.forwarding=1

###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.

# Ignore ICMP broadcasts
#net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP errors
#net.ipv4.icmp_ignore_bogus_error_responses = 1
 
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1

# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0

# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0

# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1

# The contents of /proc/<pid>/maps and smaps files are only visible to 
# readers that are allowed to ptrace() the process
# kernel.maps_protect = 1
  • 14 Kasutajad peavad seda kasulikuks
Kas see vastus oli kasulik?

Seotud artiklid

Kolik mohu dostat IP adres?

Mohu mít k serveru více než 1 IPv4 adresu? Ano, avšak maximální počet IPv4 adres k vyhrazenému...

Linux - parametry kernelu

Linux Kernel Boot Parameters

Linux firewall - iptables

Iptables iptables -[ADC] chain rule-specification [options] iptables -I chain [rulenum]...

Linux firewall - fail2ban

Fail2ban   Nástroj na blokování útočníků automaticky...

Linux - tip and tricks

Linux networking   lsof -Pnl +M -i4 ss -s ss -l ss -pl ss -o state established '(...