etc/sysctl.confΒΆ

Download file

# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#
# Documentation:
# * https://www.kernel.org/doc/Documentation/sysctl/
# * https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt


###################################################################
# Basic system settings
#

# Stop low-level messages on console (default 4 4 1 4)
#kernel.printk = 3 4 1 3

# Tweak how the flow of kernel messages is throttled.
#kernel.printk_ratelimit_burst = 10
#kernel.printk_ratelimit = 5

# Have the CD-ROM close when you use it, and open when you are done
#dev.cdrom.autoclose = 1
#dev.cdrom.autoeject = 1

# Reboot 600 seconds after kernel panic or oops.
#kernel.panic_on_oops = 1
#kernel.panic = 600


###################################################################
# Performance settings
#

# Increase TCP max buffer size setable using setsockopt (default 6291456)
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608

# Increase auto tuning TCP buffer limits (default 212992 212992 1000 1)
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1

# Disable laptop mode
#vm.laptop_mode = 0

# Control swap usage (low = less aggressive swapping)
#vm.swappiness = 60

# Some disk syncing parameters
#vm.dirty_background_ratio = 10
#vm.dirty_ratio = 40
#vm.vfs_cache_pressure = 100


###################################################################
# Network security
#

# Enable Reverse Path filter (spoof protection) in all interfaces
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

# Enable TCP/IP SYN cookies for IPv4 and IPv6
# See http://lwn.net/Articles/277146/
net.ipv4.tcp_syncookies = 1

# Don't reply to broadcast/multicast ping
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0

# Do not accept ICMP redirects from gateways listed in default gateway list
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 0

# Do not accept IP source route packets
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Use IPv6 temporary addresses and prefer them over public addresses
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2

# Log Martian Packets (disabled)
#net.ipv4.conf.all.log_martians = 1

# Tweak the port range used for outgoing connections over IPv4 and IPv6
#net.ipv4.ip_local_port_range = 32768 61000


###################################################################
# Non-router network configuration (change these options on a router)
#

# Disable packet forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0

# Do not send ICMP redirects
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0


###################################################################
# System security settings

# Restrict dmesg
kernel.dmesg_restrict = 1

# Nullify kernel pointers in messages
kernel.kptr_restrict = 2

# Enable ASLR for everything in process memory
kernel.randomize_va_space = 2

# Restrict Magic SysRq to control keyboard, sync, RO-remount and reboot/poweroff
# To completely disable SysRq, set this value to zero
kernel.sysrq = 180