Add sysctl.conf

README.md

@@ -0,0 +1,3 @@
+Usage:
+
+ansible-playbook -i hosts.example -u root main.yml [--ask-sudo-pass]

hosts.example

@@ -1,2 +1,2 @@
 [test]
-192.168.1.136
+192.168.1.113

main.yml

@@ -3,10 +3,13 @@
   roles:
     - apk
     - alpine
+    - os
     - sshd
+    # - firewall
+    # - snort
+    # - rkhunter
     - nginx
     # - postgresql
-    # - openssh
     # - ruby
     # - nodejs
     # - supervisord

roles/nginx/tasks/install/alpine.yml

@@ -0,0 +1,2 @@
+- name: Nginx | Install nginx
+  apk: name=nginx

roles/nginx/tasks/main.yml

@@ -1,5 +1,5 @@
-- name: Nginx | Install nginx
-  apk: name=nginx
+- include: install/alpine.yml
+  when: ansible_os_family == "Alpine"
 
 - name: Nginx | Prepare dirs
   file: "path={{nginx_dir}}/{{item}} state=directory"

roles/os/defaults/main.yml

@@ -0,0 +1,4 @@
+sysctl_kernel_shmmax: 579297856
+sysctl_kernel_pid_max: 65536
+sysctl_fs_file_max: 65000
+sysctl_disable_forwarding: True

roles/os/tasks/main.yml

@@ -0,0 +1,7 @@
+- name: OS | Generate sysctl.conf
+  template:
+    src: sysctl.conf.j2
+    dest: "/etc/sysctl.conf"
+    owner: root
+    group: root
+    mode: 0644

roles/os/templates/sysctl.conf.j2

@@ -0,0 +1,143 @@
+###############################
+# Kernel sysctl configuration #
+###############################
+
+###############################
+
+####################
+### KERNEL       ###
+####################
+
+# Make the addresses of mmap base, stack, heap and VDSO page randomized
+kernel.randomize_va_space = 2
+
+# Reboot system when kernel panic occur, oops will wait 30 seconds untill call panic()
+kernel.panic = 30
+kernel.panic_on_oops = 30
+
+# Disable magic-sysrq key
+kernel.sysrq = 0
+
+# No core dumps for SUID
+fs.suid_dumpable = 0
+
+####################
+### RESOURCES    ###
+####################
+
+# Max shared buffer memory (512M) PostgreSQL
+kernel.shmmax = {{sysctl_kernel_shmmax}}
+
+# Maximum number of file handles that the Linux kernel will allocate
+fs.file-max = {{sysctl_fs_file_max}}
+
+# Allow more PIDs
+kernel.pid_max = {{sysctl_kernel_pid_max}}
+
+
+####################
+### NETWORK      ###
+####################
+
+### NETWORK PERFORMANCE ###
+
+# Buffer size autotuning - buffer size (and tcp window size) is dynamically updated for each connection.
+# In that case tuning options net.ipv4.tcp_wmem and net.ipv4.tcp_rmem isnt recommended
+net.ipv4.tcp_moderate_rcvbuf = 1
+
+# Turn off the tcp_timestamps
+net.ipv4.tcp_timestamps = 0
+
+# Enable dynamic tcp window scaling
+net.ipv4.tcp_window_scaling = 1
+
+# Increase number of incoming connections
+net.core.somaxconn = 65536
+
+# Increase number of incoming connections backlog
+net.core.netdev_max_backlog = 65536
+
+# Increase the maximum amount of option memory buffers
+net.core.optmem_max = 25165824
+
+# Increase the maximum total buffer-space allocatable
+# This is measured in units of pages (4096 bytes)
+net.ipv4.tcp_mem = 65536 131072 262144
+net.ipv4.udp_mem = 65536 131072 262144
+
+# Increase the read-buffer space allocatable
+net.ipv4.tcp_rmem = 8192 87380 16777216
+net.ipv4.udp_rmem_min = 16384
+
+# Increase the write-buffer-space allocatable
+net.ipv4.tcp_wmem = 8192 65536 16777216
+net.ipv4.udp_wmem_min = 16384
+
+# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
+net.ipv4.tcp_max_tw_buckets = 1440000
+net.ipv4.tcp_tw_recycle = 1
+net.ipv4.tcp_tw_reuse = 1
+
+# Decrease the time default value for tcp_fin_timeout connection
+net.ipv4.tcp_fin_timeout = 10
+
+# Decrease the time default value for connections to keep alive
+net.ipv4.tcp_keepalive_time = 300
+net.ipv4.tcp_keepalive_probes = 5
+net.ipv4.tcp_keepalive_intvl = 15
+
+### NETWORK SECURITY ###
+
+{% if sysctl_disable_forwarding %}
+# Disable packet forwarding
+net.ipv4.ip_forward = 0
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+{% endif %}
+
+# No source routed packets here
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.eth0.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+
+# Make sure no one can alter the routing tables
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.eth0.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.eth0.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+
+# Turn on protection for IP-spoofing
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.lo.rp_filter = 1
+net.ipv4.conf.eth0.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Avoid a smurf attack
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# Turn on protection for bad icmp error messages
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Turn on and log spoofed, source routed, and redirect packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+# Number of times SYNACKs for passive TCP connection.
+net.ipv4.tcp_synack_retries = 2
+
+# Allowed local port range
+net.ipv4.ip_local_port_range = 2000 65535
+
+# Protect Against TCP Time-Wait
+net.ipv4.tcp_rfc1337 = 1
+
+# Turn off the TCP SACK
+net.ipv4.tcp_sack = 0
+
+# Prevent SYN attack
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_max_syn_backlog = 4096
+net.ipv4.tcp_syn_retries = 5
+net.ipv4.tcp_synack_retries = 2