Tuesday, July 13, 2010

Kernel sysctl configuration file for Linux

Category: , , SkyHi @ Tuesday, July 13, 2010
sysctl.conf
# Kernel sysctl configuration file for Linux
#
# Version 1.9 - 2011-03-23
# Michiel Klaver - IT Professional
# http://klaver.it/linux/ for the latest version - http://klaver.it/bsd/ for a BSD variant
#
# This file should be saved as /etc/sysctl.conf and can be activated using the command:
# sysctl -e -p /etc/sysctl.conf
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and sysctl.conf(5) for more details.
#
# Tested with: Debian 4 etchnhalf kernel version 2.6.24 default stock out-of-the-box
#              Debian 5 kernel version 2.6.26 default stock out-of-the-box
#              CentOS 5.4 kernel 2.6.18 default stock out-of-the-box

#
# Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available
# Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates
# DO NOT USE at busy networks or xDSL/Cable connections where packetloss can be expected
# ----------

# Credits:
# http://www.enigma.id.au/linux_tuning.txt
# http://www.securityfocus.com/infocus/1729
# http://fasterdata.es.net/TCP-tuning/linux.html
# http://fedorahosted.org/ktune/browser/sysctl.ktune
# http://www.cymru.com/Documents/ip-stack-tuning.html
# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
# http://knol.google.com/k/linux-performance-tuning-and-measurement
# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
# http://www.redbooks.ibm.com/abstracts/REDP4285.html
# http://www.speedguide.net/read_articles.php?id=121
# http://lartc.org/howto/lartc.kernel.obscure.html
# http://en.wikipedia.org/wiki/Sysctl



###
### GENERAL SYSTEM SECURITY OPTIONS ###
###

# Auto-reboot linux 30 seconds after a kernel panic
kernel.panic = 30
kernel.panic_on_oops = 30

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

#Allow for more PIDs
kernel.pid_max = 65536

# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
kernel.maps_protect = 1

#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536



###
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
###

# Increase size of file handles and inode cache
fs.file-max = 209708

# Do less swapping
vm.swappiness = 10
vm.dirty_ratio = 60
vm.dirty_background_ratio = 2

# specifies the minimum virtual address that a process is allowed to mmap
vm.mmap_min_addr = 4096

# No overcommitment of available memory
vm.overcommit_ratio = 0
vm.overcommit_memory = 0

# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
kernel.shmall = 268435456

# Keep at least 64MB of free RAM space available
vm.min_free_kbytes = 65536



###
### GENERAL NETWORK SECURITY OPTIONS ###
###

#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096

# Disables packet forwarding
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0

# Disables IP source routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Disable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15

# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0

# Don't proxy arp for anyone
net.ipv4.conf.all.proxy_arp = 0

# Turn on SACK
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1

# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1

# Don't ignore directed pings
net.ipv4.icmp_echo_ignore_all = 0

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1



###
### TUNING NETWORK PERFORMANCE ###
###

# Do a 'modprobe tcp_cubic' first
net.ipv4.tcp_congestion_control = cubic

# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1

# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144

# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 131072
net.core.rmem_max = 16777216

# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 131072
net.core.wmem_max = 16777216

# Increase number of incoming connections
net.core.somaxconn = 32768

# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 4096
net.core.dev_weight = 64

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65536

# Increase the maximum number of skb-heads to be cached
#net.core.hot_list_length = 1024

# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0

# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464

# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1

# Increase RPC slots
sunrpc.tcp_slot_table_entries = 32
sunrpc.udp_slot_table_entries = 32

# Increase size of RPC datagram queue length
net.unix.max_dgram_qlen = 50

# Don't allow the arp table to become bigger than this
net.ipv4.neigh.default.gc_thresh3 = 2048

# Tell the gc when to become aggressive with arp table cleaning.
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
net.ipv4.neigh.default.gc_thresh2 = 1024

# Adjust where the gc will leave arp table alone - set to 32.
net.ipv4.neigh.default.gc_thresh1 = 32

# Adjust to arp table gc to clean-up more often
net.ipv4.neigh.default.gc_interval = 30

# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6

# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_ecn = 2
net.ipv4.tcp_reordering = 3

# How many times to retry killing an alive TCP connection
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3

# This will enusre that immediatly subsequent connections use the new values
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1



###
### Comments/suggestions/additions are welcome!
###

rc.iptables
#!/bin/bash
#### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:    $network
# Required-Stop:     
# Default-Start:     2 3 4 5
# Default-Stop:      S 0 1 6
# Short-Description: iptables firewall script
# Description:       iptables firewall script
### END INIT INFO

###
### FireWall script - v1.1 Michiel Klaver 2008-10-29
###



set -e

. /lib/init/vars.sh
. /lib/lsb/init-functions

# iptables Location - adjust if needed
IPT="/sbin/iptables"

# Internet Interface
INET_IFACE="eth0"

# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"



# we do not use forwarding / NAT
echo 0 > /proc/sys/net/ipv4/ip_forward

# remove any existing ipchains
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true

# insert iptable modules
/sbin/modprobe ip_tables
/sbin/modprobe ipt_state
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp



# clear all previous iptable rules
$IPT -F
$IPT -X
$IPT -Z

# do not use forwarding / NAT
$IPT -t nat -F
$IPT -t nat -X
$IPT -t nat -Z

# do not alter packets
$IPT -t mangle -F
$IPT -t mangle -X
$IPT -t mangle -Z



case "$1" in
    stop|open|clear|reset)
 # set default policy for all traffic to ACCEPT
 $IPT -P INPUT ACCEPT
 $IPT -P OUTPUT ACCEPT
 $IPT -P FORWARD ACCEPT
 
 $IPT -A INPUT -j ACCEPT
 $IPT -A OUTPUT -j ACCEPT
 $IPT -A FORWARD -j ACCEPT
 exit 0
    ;;
esac



# set default policy for all traffic to DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# Every new connection attempt should begin with a syn packet.  If it doesn't, it is likely a
# port scan.  This drops packets in state NEW that are not flagged as syn packets.
$IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A INPUT -p all -m state --state INVALID -j DROP

$IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p all -m state --state INVALID -j DROP



# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented.  Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A INPUT --fragment -p ICMP -j DROP

# Block stealth portscans
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# all connections from / to localhost are allowed
$IPT -A INPUT -p all -i $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p all -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p all -s $LO_IP -j ACCEPT



# HTTP / HTTPS
$IPT -A INPUT -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -p tcp --dport 443 -j ACCEPT

# FTP
$IPT -A INPUT -p tcp --dport 20 -j ACCEPT
$IPT -A INPUT -p tcp --dport 21 -j ACCEPT

# SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j REJECT --reject-with tcp-reset
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT

# SMTP / SSMTP
$IPT -A INPUT -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp --dport 465 -j ACCEPT
$IPT -A INPUT -p tcp --dport 587 -j ACCEPT

# POP3PASS
$IPT -A INPUT -p tcp --dport 106 -j ACCEPT

# POP3 / POP3S
$IPT -A INPUT -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -p tcp --dport 995 -j ACCEPT

# IMAP / IMAPS
$IPT -A INPUT -p tcp --dport 143 -j ACCEPT
$IPT -A INPUT -p tcp --dport 993 -j ACCEPT

# MySQL
$IPT -A INPUT -p tcp --dport 3306 -j ACCEPT

# PostgreSQL
$IPT -A INPUT -p tcp --dport 5432 -j ACCEPT

# DNS
$IPT -A INPUT -p udp --dport 53 -j ACCEPT
$IPT -A INPUT -p tcp --dport 53 -j ACCEPT

# Admin Panels (Plesk / DirectAdmin)
$IPT -A INPUT -p tcp --dport 8443 -j ACCEPT
$IPT -A INPUT -p tcp --dport 2222 -j ACCEPT

# ICMP
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT



# UDP part of tracerouting
$IPT -A INPUT  -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
$IPT -A OUTPUT -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT

# SSH
$IPT -A OUTPUT -p tcp --dport 22 -j ACCEPT

# SMTP
$IPT -A OUTPUT -p tcp --dport 25 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 465 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 587 -j ACCEPT

# POP3/IMAP
$IPT -A OUTPUT -p tcp --dport 110 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 143 -j ACCEPT

# HTTP/HTTPS
$IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT

# DNS
$IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT

# SNMP
$IPT -A OUTPUT -p udp --dport 161 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 161 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 162 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 162 -j ACCEPT

# NTP (date/time)
$IPT -A OUTPUT -p tcp --dport 37 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 123 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 123 -j ACCEPT

# WhoIs clientside
$IPT -A OUTPUT -p tcp --dport 43 -j ACCEPT

# Razor2/Pyzor/DCC (spamchecks)
$IPT -A OUTPUT -p udp --dport 24441 -j ACCEPT
$IPT -A OUTPUT -p udp --dport 6277 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 2703 -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 7 -j ACCEPT

# MySQL
$IPT -A OUTPUT -p tcp --dport 3306 -j ACCEPT

# PostgreSQL
$IPT -A OUTPUT -p tcp --dport 5432 -j ACCEPT

# ICMP
$IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT



# DROP any other protocol other than stated above
$IPT -A INPUT -j DROP
$IPT -A OUTPUT -j DROP
$IPT -A FORWARD -j DROP



$IPT -L -n

REFERENCES
http://klaver.it/linux/sysctl.conf