Sysctl.conf: Difference between revisions

From Alpine Linux
m (→‎General networking and performance: Removed a few options that are now defaults.)
m (Added some security options)
 
(3 intermediate revisions by one other user not shown)
Line 109: Line 109:
## to available memory.  Set it manually below
## to available memory.  Set it manually below
#net.ipv4.tcp_max_syn_backlog = 1000
#net.ipv4.tcp_max_syn_backlog = 1000
#Don't penalize programs for using split locks. Marginally speeds up the steam and Google Chrome flatpaks.
kernel.split_lock_mitigate = 0
</pre>
</pre>


= Security =
= Security =
Lots of really cool things can be configured in <code>/etc/sysctl.conf</code>, some of these are already enabled by default like tcp syncookies (checked against Alpine 2.7.0):


<pre>
<pre>
## Prevent CVE-2013-2094 (only affects Linux kernel before 3.8.9)
kernel.perf_event_paranoid = 2
## Help prevent TOCTOU vulnerabilities - these attacks can likely never be fully prevented
## (see https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=800179c9b8a1e796e441674776d11cd4c05d61d7)
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
## Disable magic-sysrq key
## Disable magic-sysrq key
kernel.sysrq = 0
kernel.sysrq = 0
Line 129: Line 123:
kernel.dmesg_restrict = 1
kernel.dmesg_restrict = 1


## TCP SYN cookie protection
## optionally, ignore all echo requests
## helps protect against SYN flood attacks but apparently breaks RFC's
## this is NOT recommended, as it ignores echo requests on localhost as well
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
#net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.tcp_syncookies = 1


## protect against tcp time-wait assassination hazards
## Don't expose kernel memory addresses in procfs
## drop RST packets for sockets in the time-wait state
kernel.kptr_restrict = 2
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1


## source address verification (sanity checking) as specified in RFC1812
## Restrict access to kernel performance events
## helps protect against spoofing attacks, smurf attacks, etc.
kernel.perf_event_paranoid = 2
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1


## ignore echo broadcast requests, to stop propagation of smurf attacks
## Restrict unprivileged access to eBPF
## only enable this if your system is a router, as required by rfc 2644
kernel.unprivileged_bpf_disabled = 1
#net.ipv4.icmp_echo_ignore_broadcasts = 1
 
## optionally, ignore all echo requests
## Enable JIT hardening techniques for eBPF
## this is NOT recommended, as it ignores echo requests on localhost as well
net.core.bpf_jit_harden = 2
#net.ipv4.icmp_echo_ignore_all = 1
 
## Disable core dumps
kernel.core_pattern=|/bin/false
 
## Restrict access to the ptrace() syscall
## a value of 3 disables ptrace() entirely
kernel.yama.ptrace_scope = 2


## ignore bogus icmp errors
## Increase bits of entropy for ASLR
net.ipv4.icmp_ignore_bogus_error_responses = 1
## these values are compatible with x86, but other archs may differ
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16


## ICMP routing redirects (only secure)
# Heavily restrict writing to FIFOs; they must be owned, not in sticky dirs...                                                                                                                                                                      
net.ipv4.conf.all.accept_redirects = 0
fs.protected_fifos = 2
net.ipv4.conf.all.secure_redirects = 1
# don't allow O_CREAT open on regular files that we don't own in world/group writable sticky directories,
# unless they are owned by the owner of the directory.
fs.protected_regular = 2
</pre>
</pre>
[[User:Ginjachris|Ginjachris]] ([[User talk:Ginjachris|talk]]) 21:41, 22 November 2013 (UTC)


[[Category:Networking]]
[[Category:Networking]]

Latest revision as of 21:01, 12 June 2024

sysctl.conf is the configuration file at /etc/sysctl.conf for sysctl and is used to configure kernel parameters at boot time. You can load the configuration file with

sysctl -p

or simply with a reboot.

This article is not an exhaustive list but covers some of the main points. You may, of course, wish to change some settings to suite your environment. The config examples are well commented so should provide all the information you need. If further information is required on anything, please make a note in this page or in the 'discussion' area.

Some of the options shown in the below examples may already be as default in your release. Check with

sysctl -a|grep <somestring>

Lines beginning with a hash '#' are comments and are thus not read until the # is removed.


IPv6

Although IPv6 is configured in /etc/network/interfaces more advanced options are configured in /etc/sysctl.conf:

####Turn off IPv6 Routing####
## if not functioning as a router, there is no need
## to accept redirects or source routes
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
## Number of Router Solicitations to send until assuming no routers are present.
## This is a host and not router
net.ipv6.conf.default.router_solicitations = 2

## Router advertisements can cause the system to assign a global 
## unicast address to an interface
## Turn on/off below (default is 1, on)
#net.ipv6.conf.default.autoconf = 0
## How many global unicast IPv6 addresses can be assigned to each interface?
#net.ipv6.conf.all.max-addresses = 1
#net.ipv6.conf.default.max_addresses = 1

##Force IPv6 off
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.eth0.disable_ipv6 = 1

General networking and performance

Do not enable (uncomment) any of this unless you know what you are doing!! Be prepared to perform thorough testing and potentially break stuff!

### Disable routing
## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0

## log martian packets
#net.ipv4.conf.all.log_martians = 1

### Memory and buffer changes. See https://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php {{Dead link}} for more information.
## Increase maximum amount of memory allocated to shm
#kernel.shmmax = 1073741824 
## Improve file system performance 
#vm.bdflush = 100 1200 128 512 15 5000 500 1884 2 
## This will increase the amount of memory available for socket input/output queues 
#net.ipv4.tcp_rmem = 4096 87380 524288  
#net.core.rmem_max = 1048576 
#net.core.rmem_default = 524288 
#net.ipv4.tcp_wmem = 4096 65536 524288
#net.core.wmem_max = 1048576
#net.core.wmem_default = 524288 
#net.core.optmem_max = 25165824

## Increase system file descriptor limit    
fs.file-max = 65535

## Allow for more PID's
kernel.pid_max = 65536

## Swapping too much or not enough? Disks spinning up when you'd
## rather they didn't? Tweak these.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60

## Set small dirty bytes values (overcomes random short system freezes)
## If you uncomment the below, it is set to 4MB
#vm.dirty_background_bytes = 4194304
#vm.dirty_bytes = 4194304

## reuse/recycle time-wait sockets (this is often needed on busy servers)
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1

## Controls the number of syn retries (default is 6)
#net.ipv4.tcp_syn_retries = 3
## Controls the number of tcp syn-ack retries (default is 5)
#net.ipv4.tcp_synack_retries = 3

## Change the time default value for tcp_fin_timeout connection 
## (i.e. time to hold socket in FIN-WAIT-2 if it was closed by us)
## Default is 60 seconds
#net.ipv4.tcp_fin_timeout = 15 
## Decrease the time default value for tcp_keepalive_time connection
## (i.e. how often to send TCP keepalive message)
## Default is 2 hours! 
#net.ipv4.tcp_keepalive_time = 360 
## Turn on tcp_window_scaling 
#net.ipv4.tcp_window_scaling = 1 
## Turn on the tcp_sack 
#net.ipv4.tcp_sack = 1 
## tcp_fack should be on because of sack 
#net.ipv4.tcp_fack = 1 

## Set the port range used for outgoing connections
#net.ipv4.ip_local_port_range = 1200    65000

## the number of packets to queue on input when they arrive faster
## than they can be processed by the kernel (the socket queue)
#net.core.netdev_max_backlog = 3000

## Maximum number of remembered connection requests which have not
## received an ack from connecting client.  Increases in proportion
## to available memory.  Set it manually below
#net.ipv4.tcp_max_syn_backlog = 1000

#Don't penalize programs for using split locks. Marginally speeds up the steam and Google Chrome flatpaks.
kernel.split_lock_mitigate = 0

Security

## Disable magic-sysrq key
kernel.sysrq = 0

## Restrict dmesg access to root
kernel.dmesg_restrict = 1

## optionally, ignore all echo requests
## this is NOT recommended, as it ignores echo requests on localhost as well
#net.ipv4.icmp_echo_ignore_all = 1

## Don't expose kernel memory addresses in procfs
kernel.kptr_restrict = 2

## Restrict access to kernel performance events
kernel.perf_event_paranoid = 2

## Restrict unprivileged access to eBPF
kernel.unprivileged_bpf_disabled = 1

## Enable JIT hardening techniques for eBPF
net.core.bpf_jit_harden = 2

## Disable core dumps
kernel.core_pattern=|/bin/false

## Restrict access to the ptrace() syscall
## a value of 3 disables ptrace() entirely
kernel.yama.ptrace_scope = 2

## Increase bits of entropy for ASLR
## these values are compatible with x86, but other archs may differ
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

# Heavily restrict writing to FIFOs; they must be owned, not in sticky dirs...                                                                                                                                                                       
fs.protected_fifos = 2
# don't allow O_CREAT open on regular files that we don't own in world/group writable sticky directories,
# unless they are owned by the owner of the directory.
fs.protected_regular = 2