Sysctl
- zapnuti ochrany kernelu (execshield)
kernel.exec-shield=1 kernel.randomize_va_space=1
- zapnuti ochrany proti IP spoofing (dropuje pakety co prijdou na rozhrani a maj adresu z jiny site nez mit maji)
net.ipv4.conf.all.rp_filter=1
- 256 KB default performs well experimentally, and is often recommended by ISVs.
net.core.rmem_default = 262144 net.core.wmem_default = 262144
- When opening a high-bandwidth connection while the receiving end is under
- memory pressure, disk I/O may be necessary to free memory for the socket,
- making disk latency the effective latency for the bandwidth-delay product
- initially. For 10 Gb ethernet and SCSI, the BDP is about 5 MB. Allow 8 MB
- to account for overhead, to ensure that new sockets can saturate the medium
- quickly.
net.core.rmem_max = 8388608 net.core.wmem_max = 8388608
- Allow a deep backlog for 10 Gb and bonded Gb ethernet connections
net.core.netdev_max_backlog = 10000
- Always have one page available, plus an extra for overhead, to ensure TCP NFS
- pageout doesn't stall under memory pressure. Default to max unscaled window,
- plus overhead for rmem, since most LAN sockets won't need to scale.
net.ipv4.tcp_rmem = 8192 87380 8388608 net.ipv4.tcp_wmem = 8192 65536 8388608
- Always have enough memory available on a UDP socket for an 8k NFS request,
- plus overhead, to prevent NFS stalling under memory pressure. 16k is still
- low enough that memory fragmentation is unlikely to cause problems.
net.ipv4.udp_rmem_min = 16384 net.ipv4.udp_wmem_min = 16384
- Ensure there's enough memory to actually allocate those massive buffers to a
- socket.
net.ipv4.tcp_mem = 8388608 12582912 16777216 net.ipv4.udp_mem = 8388608 12582912 16777216
- http://www.mjmwired.net/kernel/Documentation/networking/ip-sysctl.txt
- http://www.security-portal.cz/node/3553
- http://klaver.it/linux/sysctl.conf
- http://lartc.org/howto/index.html
sysctl.conf For any parameter that begins with /proc/sys/, including it in the /etc/sysctl.conf file will make the parameter persistent.
# /etc/sysctl.conf - Configuration file for setting system variables # See /etc/sysctl.d/ for additonal system variables # See sysctl.conf (5) for information. #kernel.domainname = example.com # Uncomment the following to stop low-level messages on console #kernel.printk = 4 4 1 7 ##############################################################3 # Functions previously found in netbase # # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks #net.ipv4.conf.default.rp_filter=1 #net.ipv4.conf.all.rp_filter=1
# Uncomment the next line to enable TCP/IP SYN cookies # This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167), # and is not recommended. #net.ipv4.tcp_syncookies=1 # Uncomment the next l ine to enable packet forwarding for IPv4 #net.ipv4.ip_forward=1 # Uncomment the next line to enable packet forwarding for IPv6 #net.ipv6.conf.all.forwarding=1 ################################################################### # Additional settings - these settings can improve the network # security of the host and prevent against some network attacks # including spoofing attacks and man in the middle attacks through # redirection. Some network environments, however, require that these # settings are disabled so review and enable them as needed. # Ignore ICMP broadcasts #net.ipv4.icmp_echo_ignore_broadcasts = 1 # Ignore bogus ICMP errors #net.ipv4.icmp_ignore_bogus_error_responses = 1 # Do not accept ICMP redirects (prevent MITM attacks) #net.ipv4.conf.all.accept_redirects = 0 #net.ipv6.conf.all.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) # net.ipv4.conf.all.secure_redirects = 1 # Do not send ICMP redirects (we are not a router) #net.ipv4.conf.all.send_redirects = 0 # Do not accept IP source route packets (we are not a router) #net.ipv4.conf.all.accept_source_route = 0 #net.ipv6.conf.all.accept_source_route = 0 # Log Martian Packets #net.ipv4.conf.all.log_martians = 1 # The contents of /proc/<pid>/maps and smaps files are only visible to # readers that are allowed to ptrace() the process # kernel.maps_protect = 1
