Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
166 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
Usage: | ||
|
||
ansible-playbook -i hosts.example -u root main.yml [--ask-sudo-pass] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
[test] | ||
192.168.1.136 | ||
192.168.1.113 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
- name: Nginx | Install nginx | ||
apk: name=nginx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
sysctl_kernel_shmmax: 579297856 | ||
sysctl_kernel_pid_max: 65536 | ||
sysctl_fs_file_max: 65000 | ||
sysctl_disable_forwarding: True |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
- name: OS | Generate sysctl.conf | ||
template: | ||
src: sysctl.conf.j2 | ||
dest: "/etc/sysctl.conf" | ||
owner: root | ||
group: root | ||
mode: 0644 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,143 @@ | ||
############################### | ||
# Kernel sysctl configuration # | ||
############################### | ||
|
||
############################### | ||
|
||
#################### | ||
### KERNEL ### | ||
#################### | ||
|
||
# Make the addresses of mmap base, stack, heap and VDSO page randomized | ||
kernel.randomize_va_space = 2 | ||
|
||
# Reboot system when kernel panic occur, oops will wait 30 seconds untill call panic() | ||
kernel.panic = 30 | ||
kernel.panic_on_oops = 30 | ||
|
||
# Disable magic-sysrq key | ||
kernel.sysrq = 0 | ||
|
||
# No core dumps for SUID | ||
fs.suid_dumpable = 0 | ||
|
||
#################### | ||
### RESOURCES ### | ||
#################### | ||
|
||
# Max shared buffer memory (512M) PostgreSQL | ||
kernel.shmmax = {{sysctl_kernel_shmmax}} | ||
|
||
# Maximum number of file handles that the Linux kernel will allocate | ||
fs.file-max = {{sysctl_fs_file_max}} | ||
|
||
# Allow more PIDs | ||
kernel.pid_max = {{sysctl_kernel_pid_max}} | ||
|
||
|
||
#################### | ||
### NETWORK ### | ||
#################### | ||
|
||
### NETWORK PERFORMANCE ### | ||
|
||
# Buffer size autotuning - buffer size (and tcp window size) is dynamically updated for each connection. | ||
# In that case tuning options net.ipv4.tcp_wmem and net.ipv4.tcp_rmem isnt recommended | ||
net.ipv4.tcp_moderate_rcvbuf = 1 | ||
|
||
# Turn off the tcp_timestamps | ||
net.ipv4.tcp_timestamps = 0 | ||
|
||
# Enable dynamic tcp window scaling | ||
net.ipv4.tcp_window_scaling = 1 | ||
|
||
# Increase number of incoming connections | ||
net.core.somaxconn = 65536 | ||
|
||
# Increase number of incoming connections backlog | ||
net.core.netdev_max_backlog = 65536 | ||
|
||
# Increase the maximum amount of option memory buffers | ||
net.core.optmem_max = 25165824 | ||
|
||
# Increase the maximum total buffer-space allocatable | ||
# This is measured in units of pages (4096 bytes) | ||
net.ipv4.tcp_mem = 65536 131072 262144 | ||
net.ipv4.udp_mem = 65536 131072 262144 | ||
|
||
# Increase the read-buffer space allocatable | ||
net.ipv4.tcp_rmem = 8192 87380 16777216 | ||
net.ipv4.udp_rmem_min = 16384 | ||
|
||
# Increase the write-buffer-space allocatable | ||
net.ipv4.tcp_wmem = 8192 65536 16777216 | ||
net.ipv4.udp_wmem_min = 16384 | ||
|
||
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks | ||
net.ipv4.tcp_max_tw_buckets = 1440000 | ||
net.ipv4.tcp_tw_recycle = 1 | ||
net.ipv4.tcp_tw_reuse = 1 | ||
|
||
# Decrease the time default value for tcp_fin_timeout connection | ||
net.ipv4.tcp_fin_timeout = 10 | ||
|
||
# Decrease the time default value for connections to keep alive | ||
net.ipv4.tcp_keepalive_time = 300 | ||
net.ipv4.tcp_keepalive_probes = 5 | ||
net.ipv4.tcp_keepalive_intvl = 15 | ||
|
||
### NETWORK SECURITY ### | ||
|
||
{% if sysctl_disable_forwarding %} | ||
# Disable packet forwarding | ||
net.ipv4.ip_forward = 0 | ||
net.ipv4.conf.all.send_redirects = 0 | ||
net.ipv4.conf.default.send_redirects = 0 | ||
{% endif %} | ||
|
||
# No source routed packets here | ||
net.ipv4.conf.all.accept_source_route = 0 | ||
net.ipv4.conf.eth0.accept_source_route = 0 | ||
net.ipv4.conf.default.accept_source_route = 0 | ||
|
||
# Make sure no one can alter the routing tables | ||
net.ipv4.conf.all.accept_redirects = 0 | ||
net.ipv4.conf.eth0.accept_redirects = 0 | ||
net.ipv4.conf.default.accept_redirects = 0 | ||
net.ipv4.conf.all.secure_redirects = 0 | ||
net.ipv4.conf.eth0.secure_redirects = 0 | ||
net.ipv4.conf.default.secure_redirects = 0 | ||
|
||
# Turn on protection for IP-spoofing | ||
net.ipv4.conf.all.rp_filter = 1 | ||
net.ipv4.conf.lo.rp_filter = 1 | ||
net.ipv4.conf.eth0.rp_filter = 1 | ||
net.ipv4.conf.default.rp_filter = 1 | ||
|
||
# Avoid a smurf attack | ||
net.ipv4.icmp_echo_ignore_broadcasts = 1 | ||
|
||
# Turn on protection for bad icmp error messages | ||
net.ipv4.icmp_ignore_bogus_error_responses = 1 | ||
|
||
# Turn on and log spoofed, source routed, and redirect packets | ||
net.ipv4.conf.all.log_martians = 1 | ||
net.ipv4.conf.default.log_martians = 1 | ||
|
||
# Number of times SYNACKs for passive TCP connection. | ||
net.ipv4.tcp_synack_retries = 2 | ||
|
||
# Allowed local port range | ||
net.ipv4.ip_local_port_range = 2000 65535 | ||
|
||
# Protect Against TCP Time-Wait | ||
net.ipv4.tcp_rfc1337 = 1 | ||
|
||
# Turn off the TCP SACK | ||
net.ipv4.tcp_sack = 0 | ||
|
||
# Prevent SYN attack | ||
net.ipv4.tcp_syncookies = 1 | ||
net.ipv4.tcp_max_syn_backlog = 4096 | ||
net.ipv4.tcp_syn_retries = 5 | ||
net.ipv4.tcp_synack_retries = 2 |