-
Notifications
You must be signed in to change notification settings - Fork 4
/
99-sysctl.conf
557 lines (452 loc) · 18 KB
/
99-sysctl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
# Configuration file for runtime kernel parameters.
# See sysctl.conf(5) for more information.
# ==============================================================================
# dev {{{
# Restrict loading TTY line disciplines to CAP_SYS_MODULE. Prevents
# unprivileged attackers from loading vulnerable line disciplines with
# the TIOCSETD ioctl.
dev.tty.ldisc_autoload = 0
# Have the CD-ROM close when you use it, and open when you are done.
#dev.cdrom.autoclose = 1
#dev.cdrom.autoeject = 1
# end dev }}}
# ==============================================================================
# fs {{{
# Don't allow writes to files that we don't own in world writable sticky
# directories, unless they are owned by the owner of the directory.
fs.protected_fifos = 2
fs.protected_regular = 2
# Protect against privilege escalations via link tomfoolery.
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Determines whether core dump files are produced for set-user-ID or
# otherwise protected/tainted binaries.
#
# Usage
# fs.suid_dumpable = 0
# 0 - Traditional behaviour. Any process which has changed privilege
# levels or is execute-only will not be dumped. (Default)
# 1 - Debug only. All processes dump core when possible. The core
# dump is owned by the current user and no security is applied.
# 2 - suidsafe. Any binary which can normally not be dumped is dumped
# readable by root only. End user can remove such a dump but
# not access it directly.
fs.suid_dumpable = 0
# Increase size of file handles and inode cache.
#
# Usage
# fs.file-max = <_PHYS_PAGES>*<PAGE_SIZE>/1024/10.
#fs.file-max = 785928
# end fs }}}
# ==============================================================================
# kernel {{{
# Disable core dumps.
kernel.core_pattern = |/bin/false
# Forbid access to kernel logs without the CAP_SYS_ADMIN capability.
kernel.dmesg_restrict = 1
# Throttle perf sample rate to 1% of CPU.
kernel.perf_cpu_time_max_percent = 1
# Throttle performance monitoring. Prevents impacting overall machine
# performance and potentially locking up the machine.
kernel.perf_event_max_sample_rate = 1
# Block non-uid-0 profiling. Needs patch, otherwise 3 is the same as 2.
# See: https://patchwork.kernel.org/patch/9249919/
kernel.perf_event_paranoid = 3
# Turn off kexec, even if it's built in.
kernel.kexec_load_disabled = 1
# Avoid non-ancestor ptrace access to running processes and their
# credentials.
kernel.yama.ptrace_scope = 1
# Turn off unprivileged eBPF access.
kernel.unprivileged_bpf_disabled = 1
# Only allow the SysRq key to be used for shutdowns and the Secure
# Attention Key (SAK).
kernel.sysrq = 132
# Controls whether core dumps will append the PID to the core
# filename. Useful when e.g. debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Make content of /proc/<pid>/{,s}maps only visible to readers allowed
# to ptrace() the process. Usually it is useless.
#kernel.maps_protect = 1
# Enable ExecShield protection. Usually doesn't work in Ubuntu because
# it uses hardware NX when the CPU supports it or uses NX emulation in
# the kernel equivalent of the Red Hat Exec Shield patch.
#kernel.exec-shield = 1
# Enable Address Space Layout Randomization, random placement of virtual
# memory regions. Mitigates certain types of buffer overflow attacks.
#
# Usage
# kernel.randomize_va_space = 2
# 2 - Randomize the positions of the stack, VDSO page, shared memory
# regions, and the data segment.
kernel.randomize_va_space = 2
# Indicates whether to place restrictions on exposing kernel addresses
# via /proc and other interfaces.
kernel.kptr_restrict = 2
# Limit low-level kernel messages on console.
#
# Usage
# kernel.printk = <CUR> <DEF> <MIN> <BTDEF>
# <CUR> = current severity level; only messages more important
# than this level are printed
# <DEF> = default severity level assigned to messages with no level
# <MIN> = minimum allowable CUR
# <BTDEF> = boot-time default CUR
#
# Severity levels:
# 0 - Emergency
# 1 - Alert
# 2 - Critical
# 3 - Error
# 4 - Warning
# 5 - Notice
# 6 - Informational
# 7 - Debug
kernel.printk = 3 3 3 3
# Tweak how the flow of kernel messages is throttled.
#kernel.printk_ratelimit_burst = 10
#kernel.printk_ratelimit = 5
# Bump the numeric PID range to its maximum of 2^22 (from the in-kernel
# default of 2^16), to make PID collisions less likely.
#kernel.pid_max = 4194304
# Controls the default max size of queue and default max size of message.
# Values are from IBM DB2 user manual.
kernel.msgmnb = 65535
kernel.msgmax = 65535
# Set the system-wide maximum number of shared memory segments. Oracle
# and IBM recommend 4096.
#
# Usage
# kernel.shmmni = 256*<total_memory_in_GB>
#kernel.shmmni = 4096
# Define the maximum size in bytes of a single shared memory segment
# that a Linux process can allocate in its virtual address space.
#
# Usage
# kernel.shmmax = <total_memory_in_bytes>
#kernel.shmmax = 17179869184
# Set the total amount of shared memory pages that can be used
# system-wide.
#
# Usage
# kernel.shmall = 2*<shmmax>/<PAGE_SIZE> # or greater
#kernel.shmall = 8388608
# Customize Semaphores.
#
# Usage
# kernel.sem = <SEMMSL> <SEMMNS> <SEMOPM> <SEMMNI>
# <SEMMSL>
# Oracle recommends SEMMSL be >= 250.
# <SEMMNS> = <SEMMSL>*<SEMMNI>
# Oracle recommends SEMMNS be >= 32000.
# <SEMOPM>
# Oracle recommends SEMOPM be >= 100.
# <SEMMNI> = <total_memory_in_GB>*256
# Oracle recommends SEMMNI be >= 128.
#kernel.sem = 250 1024000 100 4096
# Set number of message queue identifiers.
#
# Usage
# kernel.msgmni = 1024*<total_memory_in_GB>
#kernel.msgmni = 16384
# Reboot 600 seconds after kernel panic or oops.
#kernel.panic_on_oops = 1
#kernel.panic = 600
# end kernel }}}
# ==============================================================================
# net {{{
# Don't accept ICMP redirects. Prevents MITM attacks.
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Don't send ICMP redirects because we are not a router.
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Don't accept IP source route packets because we are not a
# router. Protects against spoofed TCP connections.
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Don't relay bootp.
net.ipv4.conf.all.bootp_relay = 0
# Don't flush all addresses on an interface when the primary address
# is removed.
net.ipv4.conf.all.promote_secondaries = 1
net.ipv4.conf.default.promote_secondaries = 1
# Strict mode as defined in RFC3704 Strict Reverse Path.
# See: https://wiki.ubuntu.com/ImprovedNetworking/KernelSecuritySettings
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Don't send or accept RFC1620 shared media redirects.
net.ipv4.conf.all.shared_media = 0
net.ipv4.conf.default.shared_media = 0
# Disable packet forwarding. Enable for WireGuard.
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
# Don't proxy ARP/NDP. Enable for WireGuard.
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.default.proxy_arp = 0
net.ipv6.conf.all.proxy_ndp = 0
net.ipv6.conf.default.proxy_ndp = 0
# Turn on dynamic IP addressing. Let masquerading switch the source
# address of packets. See: https://linuxgazette.net/68/tag/1.html
#
# Usage
# net.ipv4.ip_dynaddr = 7
# 0 - Switch off special handling of dynamic addresses (Default)
# 1 - Enable rewriting in quiet mode
# 3 - Enable rewriting in verbose mode
# 5 - Enable quiet RST-provoking mode
# 7 - Enable verbose RST-provoking mode (for WireGuard)
#net.ipv4.ip_dynaddr = 7
# Prevent errors from TIME_WAIT assassination.
net.ipv4.tcp_rfc1337 = 1
# Flush routing cache. Ensure immediately subsequent connections use
# the new values.
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1
# Enable Path MTU discovery, a technique to determine the largest Maximum
# Transfer Unit possible on your path.
net.ipv4.ip_no_pmtu_disc = 0
# Disable Selective ACK to mitigate exploits.
net.ipv4.tcp_sack = 0
net.ipv4.tcp_dsack = 0
net.ipv4.tcp_fack = 0
# ECN allows end-to-end notification of network congestion without
# dropping packets. It is a nice RFC, but in real life we have a lot of
# crappy network hardware, so disable it.
net.ipv4.tcp_ecn = 0
# Disable(1) the PreQueue entirely. Ideal for slow wifi networks.
# Enable(0) to instruct the TCP/IP stack to prefer low latency instead
# of high throughput. IBM recommends enabling.
net.ipv4.tcp_low_latency = 1
# Enable Forward RTO-Recovery (F-RTO) defined in RFC4138. F-RTO is an
# enhanced recovery algorithm for TCP retransmission timeouts. It is
# usually good to use in wireless environments where packet loss is
# typically due to random radio interference rather than intermediate
# router congestion.
#
# Usage
# net.ipv4.tcp_frto = 2
# 1 - basic version is enabled, sometimes improves performance.
# 2 - enables SACK-enhanced F-RTO if flow uses SACK. (Default)
net.ipv4.tcp_frto = 2
# Enable TCP Fast Open (RFC7413) to send and accept data in the opening
# SYN-packet. Does not affect unsupported hosts, but quickens handshake
# for supported hosts. Using the value 3 instead of the default 1 allows
# TCP Fast Open for both incoming and outgoing connections.
net.ipv4.tcp_fastopen = 3
# Protection from SYN flood attacks; SYN cookies are only used as
# a fallback.
# Note: It may also impact IPv6 TCP sessions.
# Note: It is evil to use this on high-load servers.
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
# See evil packets in your logs.
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Ignore ICMP broadcasts.
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Don't ignore directed pings.
net.ipv4.icmp_echo_ignore_all = 0
# Protect against bad error messages.
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Disable IPv6 because it is evil.
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
# Tune IPv6.
net.ipv6.conf.all.accept_dad = 0
net.ipv6.conf.default.accept_dad = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.dad_transmits = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.all.router_solicitations = 0
net.ipv6.conf.default.router_solicitations = 0
# Use and prefer IPv6 Privacy Extensions.
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
# Decrease IPv6 privacy address preferred lifetime to 8 hours. Deprecates
# temporary addresses after N seconds, after which we change to a new one.
net.ipv6.conf.all.temp_prefered_lft = 28800
net.ipv6.conf.default.temp_prefered_lft = 28800
# Decrease IPv6 privacy address valid lifetime to 72 hours. Invalidates
# IPv6 connections using (deprecated) temporary addresses after N seconds.
net.ipv6.conf.all.temp_valid_lft = 259200
net.ipv6.conf.default.temp_valid_lft = 259200
# Increase maximum number of IPv6 privacy addresses with valid lifetime.
net.ipv6.conf.all.max_addresses = 27
net.ipv6.conf.default.max_addresses = 27
# Increase maximum number of attempts to generate an IPv6 privacy address
# before failing.
net.ipv6.conf.all.regen_max_retry = 7
net.ipv6.conf.default.regen_max_retry = 7
# Decrease maximum value for DESYNC_FACTOR. Decreases lag in IPv6 privacy
# address generation.
net.ipv6.conf.all.max_desync_factor = 160
net.ipv6.conf.default.max_desync_factor = 160
# Try to reuse time-wait connections.
net.ipv4.tcp_tw_reuse = 1
# Avoid falling back to slow start after a connection goes idle. Keep
# it set to 0 usually.
net.ipv4.tcp_slow_start_after_idle = 0
# Increase Linux auto-tuning TCP buffer limits.
# Set max to 16MB buffer (16777216) for 1GE network.
#net.core.rmem_max = 16777216
#net.core.wmem_max = 16777216
#net.core.rmem_default = 16777216
#net.core.wmem_default = 16777216
#net.core.optmem_max = 40960
#net.ipv4.tcp_rmem = 4096 87380 16777216
#net.ipv4.tcp_wmem = 4096 65536 16777216
# Instructing a 10GE-capable host to consume a maximum of 32M-64M per
# socket ensures parallel streams work well and don't consume a majority
# of system resources.
# Set max 32MB buffer (33554432) for 10GE network.
#net.core.rmem_max = 33554432
#net.core.wmem_max = 33554432
#net.core.rmem_default = 33554432
#net.core.wmem_default = 33554432
#net.core.optmem_max = 40960
#net.ipv4.tcp_rmem = 4096 87380 33554432
#net.ipv4.tcp_wmem = 4096 65536 33554432
# If you have a lot of memory, set max 54MB buffer (56623104) for 10GE
# network.
#net.core.rmem_max = 56623104
#net.core.wmem_max = 56623104
#net.core.rmem_default = 56623104
#net.core.wmem_default = 56623104
#net.core.optmem_max = 40960
#net.ipv4.tcp_rmem = 4096 87380 56623104
#net.ipv4.tcp_wmem = 4096 65536 56623104
# Set UDP parameters. Adjust them for your network.
#net.ipv4.udp_mem = 8388608 12582912 16777216
#net.ipv4.udp_rmem_min = 65536
#net.ipv4.udp_wmem_min = 65536
# Use BBR congestion control algorithm with Fair Queue CoDel.
net.core.default_qdisc = fq_codel
net.ipv4.tcp_congestion_control = bbr
# Disable TCP timestamps to avoid leaking some system information.
net.ipv4.tcp_timestamps = 0
# Enable smart MTU black hole detection.
# Detect ICMP black holes and adjust the path MTU.
net.ipv4.tcp_mtu_probing = 1
# Bump starting MSS used in discovery to RFC4821 suggested 1024.
net.ipv4.tcp_base_mss = 1024
# Set max number of queued connections on a socket. The default value
# usually is too low. Raise this value substantially to support bursts
# of requests.
net.core.somaxconn = 8192
# Enable TCP window scaling for high-throughput, blazing fast TCP
# performance.
net.ipv4.tcp_window_scaling = 1
# Decrease the time default value for tcp_fin_timeout connection.
net.ipv4.tcp_fin_timeout = 10
# Decrease the time default value for connections to keep alive.
net.ipv4.tcp_keepalive_time = 512
net.ipv4.tcp_keepalive_probes = 10
net.ipv4.tcp_keepalive_intvl = 32
# Limit orphans because each orphan can eat up to 16M of unswappable
# memory.
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
# Increase size of RPC datagram queue length.
net.unix.max_dgram_qlen = 512
# Don't allow the arp table to become bigger than this.
net.ipv4.neigh.default.gc_thresh3 = 4096
# Tell the gc when to become aggressive with arp table cleaning.
net.ipv4.neigh.default.gc_thresh2 = 2048
# Adjust where the gc will leave arp table alone.
net.ipv4.neigh.default.gc_thresh1 = 1024
# Adjust to arp table gc to cleanup more often.
net.ipv4.neigh.default.gc_interval = 30
# Increase TCP queue length in order to reduce a performance spike with
# relation to timestamps generation.
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
# Increase allowable size of backlog for incoming connections. Try up
# to 262144.
net.core.netdev_max_backlog = 16384
# Set max number half open SYN requests to keep in memory.
net.ipv4.tcp_max_syn_backlog = 8192
# Don't cache ssthresh from previous connection.
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
# Tweak the port range used for outgoing connections.
net.ipv4.ip_local_port_range = 2000 65535
# Turn on BPF JIT hardening, if the JIT is enabled.
net.core.bpf_jit_harden = 2
# Specify the group range allowed to create non-raw icmp sockets.
#
# Usage
# net.ipv4.ping_group_range = min max
# 1 0 - Nobody, not even root, may create ping
# sockets. (default)
# 100 100 - Grant permissions to the single group to either
# make /sbin/ping sgid'ed and owned by this group
# or to grant permissions to the "netadmins" group.
# 0 4294967295 - Enable it for the world.
# 100 4294967295 - Enable it for the users, but not daemons.
net.ipv4.ping_group_range = 0 2147483647
# end net }}}
# ==============================================================================
# user {{{
# Disable User Namespaces, as it opens up a large attack surface to
# unprivileged users.
user.max_user_namespaces = 0
# end user }}}
# ==============================================================================
# vm {{{
# Alter disk syncing and swap behavior.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60
# To avoid long IO stalls for write cache in a real life situation
# with different workloads, we typically want to limit the kernel dirty
# cache size.
#
# Usage
# vm.dirty_background_ratio = 0.25..0.5 * <dirty_ratio>
vm.dirty_background_ratio = 5
vm.dirty_ratio = 10
# Turn off the OOM killer by default.
vm.overcommit_memory = 2
# Instruct OOM killer to kill the task triggering an out-of-memory
# condition. Avoids expensive tasklist scans.
vm.oom_kill_allocating_task = 1
# Allocate up to 97% of physical memory.
vm.overcommit_ratio = 97
# Specify the minimum virtual address a process is allowed to mmap. Helps
# avoid "kernel NULL pointer dereference" defects.
vm.mmap_min_addr = 4096
# Improve KASLR effectiveness.
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16
# Keep at least 128MB of free RAM space available. When set to its default
# value, it is possible to encounter memory exhaustion symptoms when
# free memory should in fact be available. Setting <vm.min_free_kbytes>
# to 5-6% of the total physical memory but no more than 2GB can prevent
# this problem.
vm.min_free_kbytes = 131072
# Restrict the userfaultfd() syscall to root. Makes heap sprays harder.
vm.unprivileged_userfaultfd = 0
# end vm }}}
# ==============================================================================
# vim: set filetype=sysctl foldmethod=marker foldlevel=0 nowrap: