# /etc/sysctl.conf - Configuration file for setting system variables # See /etc/sysctl.d/ for additional system variables. # See sysctl.conf (5) for information. # # Documentation: # * https://www.kernel.org/doc/Documentation/sysctl/ # * https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt ################################################################### # Basic system settings # # Stop low-level messages on console (default 4 4 1 4) #kernel.printk = 3 4 1 3 # Tweak how the flow of kernel messages is throttled. #kernel.printk_ratelimit_burst = 10 #kernel.printk_ratelimit = 5 # Have the CD-ROM close when you use it, and open when you are done #dev.cdrom.autoclose = 1 #dev.cdrom.autoeject = 1 # Reboot 600 seconds after kernel panic or oops. #kernel.panic_on_oops = 1 #kernel.panic = 600 ################################################################### # Performance settings # # Increase TCP max buffer size setable using setsockopt (default 6291456) #net.ipv4.tcp_rmem = 4096 87380 8388608 #net.ipv4.tcp_wmem = 4096 87380 8388608 # Increase auto tuning TCP buffer limits (default 212992 212992 1000 1) #net.core.rmem_max = 8388608 #net.core.wmem_max = 8388608 #net.core.netdev_max_backlog = 5000 #net.ipv4.tcp_window_scaling = 1 # Disable laptop mode #vm.laptop_mode = 0 # Control swap usage (low = less aggressive swapping) #vm.swappiness = 60 # Some disk syncing parameters #vm.dirty_background_ratio = 10 #vm.dirty_ratio = 40 #vm.vfs_cache_pressure = 100 ################################################################### # Network security # # Enable Reverse Path filter (spoof protection) in all interfaces net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 # Enable TCP/IP SYN cookies for IPv4 and IPv6 # See http://lwn.net/Articles/277146/ net.ipv4.tcp_syncookies = 1 # Don't reply to broadcast/multicast ping net.ipv4.icmp_echo_ignore_broadcasts = 1 # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 # Do not accept ICMP redirects from gateways listed in default gateway list net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 # Do not accept IP source route packets net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 # Use IPv6 temporary addresses and prefer them over public addresses net.ipv6.conf.default.use_tempaddr = 2 net.ipv6.conf.all.use_tempaddr = 2 # Log Martian Packets (disabled) #net.ipv4.conf.all.log_martians = 1 # Tweak the port range used for outgoing connections over IPv4 and IPv6 #net.ipv4.ip_local_port_range = 32768 61000 ################################################################### # Non-router network configuration (change these options on a router) # # Disable packet forwarding net.ipv4.ip_forward = 0 net.ipv6.conf.default.forwarding = 0 net.ipv6.conf.all.forwarding = 0 # Do not send ICMP redirects net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.send_redirects = 0 ################################################################### # System security settings # Restrict dmesg kernel.dmesg_restrict = 1 # Nullify kernel pointers in messages kernel.kptr_restrict = 2 # Enable ASLR for everything in process memory kernel.randomize_va_space = 2 # Restrict Magic SysRq to control keyboard, sync, RO-remount and reboot/poweroff # To completely disable SysRq, set this value to zero kernel.sysrq = 180