Sysctl.conf: Difference between revisions

From Alpine Linux
m (Added some security options)
 
(22 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Sysctl.conf is the configuration file at <code>/etc/sysctl.conf</code> for [http://linux.die.net/man/8/sysctl sysctl] and is used to configure kernel parameters at boot time.  You can load the configuration file with {{Cmd|sysctl -p}} or simply with a reboot.
{{DISPLAYTITLE:sysctl.conf}}sysctl.conf is the configuration file at <code>/etc/sysctl.conf</code> for [https://linux.die.net/man/8/sysctl sysctl] and is used to configure kernel parameters at boot time.  You can load the configuration file with {{Cmd|sysctl -p}} or simply with a reboot.
This article is not an exhaustive list but covers some of the main points. You may, of course, wish to change some settings to suite your environment.  The config examples are well commented so should provide all the information you need.  If further information is required on anything, please make a note in this page or in the 'discussion' area
This article is not an exhaustive list but covers some of the main points. You may, of course, wish to change some settings to suite your environment.  The config examples are well commented so should provide all the information you need.  If further information is required on anything, please make a note in this page or in the 'discussion' area.
Some of the options shown in the below examples may already be as default in your release. Check with <pre>sysctl -a|grep <somestring></pre>
Some of the options shown in the below examples may already be as default in your release. Check with <pre>sysctl -a|grep <somestring></pre>
Lines beginning with a hash '#' are comments and are thus not read until the # is removed.




= IPv6 =
= IPv6 =
Although IPv6 is [[http://wiki.alpinelinux.org/wiki/Configure_Networking configured]] in  <code>/etc/network/interfaces</code> more advanced options are configured in <code>/etc/sysctl.conf</code>:
Although IPv6 is [[Configure Networking|configured]] in  <code>/etc/network/interfaces</code> more advanced options are configured in <code>/etc/sysctl.conf</code>:
<pre>
<pre>
## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
####Turn off IPv6 Routing####
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
 
####Turn off Routing####
## if not functioning as a router, there is no need
## if not functioning as a router, there is no need
## to accept redirects or source routes
## to accept redirects or source routes
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
## if not functioning as a router, disable packet forwarding
net.ipv6.conf.all.forwarding = 0
## Number of Router Solicitations to send until assuming no routers are present.
## Number of Router Solicitations to send until assuming no routers are present.
## This is a host and not router
## This is a host and not router
Line 24: Line 19:
## Router advertisements can cause the system to assign a global  
## Router advertisements can cause the system to assign a global  
## unicast address to an interface
## unicast address to an interface
## Turn on/off below (default is 0, off)
## Turn on/off below (default is 1, on)
#net.ipv6.conf.default.autoconf = 0
#net.ipv6.conf.default.autoconf = 0
## How many global unicast IPv6 addresses can be assigned to each interface?
## How many global unicast IPv6 addresses can be assigned to each interface?
#net.ipv6.conf.all.max-addresses = 1
#net.ipv6.conf.all.max-addresses = 1
#net.ipv6.conf.default.max_addresses = 1
#net.ipv6.conf.default.max_addresses = 1
##Force IPv6 off
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.eth0.disable_ipv6 = 1
</pre>
</pre>


Line 36: Line 37:
<pre>
<pre>
### Disable routing
### Disable routing
## disable ALL packet forwarding (not a router, disable it)
net.ipv4.ip_forward = 0
## if not functioning as a router, there is no need to accept redirects or source routes
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
## IP source routing (insecure, disable it)
net.ipv4.conf.all.accept_source_route = 0
## send redirects (not a router, disable it)
## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Line 49: Line 43:
#net.ipv4.conf.all.log_martians = 1
#net.ipv4.conf.all.log_martians = 1


### Memory and buffer changes. See https://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php {{Dead link}} for more information.
## Increase maximum amount of memory allocated to shm
## Increase maximum amount of memory allocated to shm
#kernel.shmmax = 1073741824  
#kernel.shmmax = 1073741824  
Line 57: Line 52:
#net.core.rmem_max = 1048576  
#net.core.rmem_max = 1048576  
#net.core.rmem_default = 524288  
#net.core.rmem_default = 524288  
#net.ipv4.tcp_wmem = 44096 65536 524288
#net.ipv4.tcp_wmem = 4096 65536 524288
#net.core.wmem_max = 1048576
#net.core.wmem_max = 1048576
#net.core.wmem_default = 524288  
#net.core.wmem_default = 524288  
Line 64: Line 59:
## Increase system file descriptor limit     
## Increase system file descriptor limit     
fs.file-max = 65535
fs.file-max = 65535
## Allow for more PID's
kernel.pid_max = 65536


## Swapping too much or not enough? Disks spinning up when you'd
## Swapping too much or not enough? Disks spinning up when you'd
Line 98: Line 96:
#net.ipv4.tcp_sack = 1  
#net.ipv4.tcp_sack = 1  
## tcp_fack should be on because of sack  
## tcp_fack should be on because of sack  
#net.ipv4.tcp_fack = 1
#net.ipv4.tcp_fack = 1  
 
## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
#net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_timestamps = 1  


## Set the port range used for outgoing connections
## Set the port range used for outgoing connections
Line 119: Line 109:
## to available memory.  Set it manually below
## to available memory.  Set it manually below
#net.ipv4.tcp_max_syn_backlog = 1000
#net.ipv4.tcp_max_syn_backlog = 1000
#Don't penalize programs for using split locks. Marginally speeds up the steam and Google Chrome flatpaks.
kernel.split_lock_mitigate = 0
</pre>
</pre>


= Security =
= Security =
Lots of really cool things can be configured in <code>/etc/sysctl.conf</code>:


<pre>
<pre>
## Prevent CVE-2013-2094
kernel.perf_event_paranoid = 2
## Help prevent TOCTOU vulnerabilities - these attacks can likely never be fully prevented
## (see https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=800179c9b8a1e796e441674776d11cd4c05d61d7)
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
## Disable magic-sysrq key
## Disable magic-sysrq key
kernel.sysrq = 0
kernel.sysrq = 0


## TCP SYN cookie protection
## Restrict dmesg access to root
## helps protect against SYN flood attacks but apparently breaks RFC's
kernel.dmesg_restrict = 1
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies = 1


## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1
## source address verification (sanity checking) as specified in RFC1812
## helps protect against spoofing attacks
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
## ignore echo broadcast requests to prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1
## optionally, ignore all echo requests
## optionally, ignore all echo requests
## this is NOT recommended, as it ignores echo requests on localhost as well
## this is NOT recommended, as it ignores echo requests on localhost as well
#net.ipv4.icmp_echo_ignore_all = 1
#net.ipv4.icmp_echo_ignore_all = 1


## ignore bogus icmp errors
## Don't expose kernel memory addresses in procfs
net.ipv4.icmp_ignore_bogus_error_responses = 1
kernel.kptr_restrict = 2
 
## Restrict access to kernel performance events
kernel.perf_event_paranoid = 2
 
## Restrict unprivileged access to eBPF
kernel.unprivileged_bpf_disabled = 1
 
## Enable JIT hardening techniques for eBPF
net.core.bpf_jit_harden = 2
 
## Disable core dumps
kernel.core_pattern=|/bin/false
 
## Restrict access to the ptrace() syscall
## a value of 3 disables ptrace() entirely
kernel.yama.ptrace_scope = 2
 
## Increase bits of entropy for ASLR
## these values are compatible with x86, but other archs may differ
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16


## ICMP routing redirects (only secure)
# Heavily restrict writing to FIFOs; they must be owned, not in sticky dirs...                                                                                                                                                                      
#net.ipv4.conf.all.accept_redirects = 0
fs.protected_fifos = 2
net.ipv4.conf.all.secure_redirects = 1
# don't allow O_CREAT open on regular files that we don't own in world/group writable sticky directories,
# unless they are owned by the owner of the directory.
fs.protected_regular = 2
</pre>
</pre>


[[User:Ginjachris|Ginjachris]] ([[User talk:Ginjachris|talk]]) 12:32, 19 November 2013 (UTC)
[[Category:Networking]]

Latest revision as of 21:01, 12 June 2024

sysctl.conf is the configuration file at /etc/sysctl.conf for sysctl and is used to configure kernel parameters at boot time. You can load the configuration file with

sysctl -p

or simply with a reboot.

This article is not an exhaustive list but covers some of the main points. You may, of course, wish to change some settings to suite your environment. The config examples are well commented so should provide all the information you need. If further information is required on anything, please make a note in this page or in the 'discussion' area.

Some of the options shown in the below examples may already be as default in your release. Check with

sysctl -a|grep <somestring>

Lines beginning with a hash '#' are comments and are thus not read until the # is removed.


IPv6

Although IPv6 is configured in /etc/network/interfaces more advanced options are configured in /etc/sysctl.conf:

####Turn off IPv6 Routing####
## if not functioning as a router, there is no need
## to accept redirects or source routes
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
## Number of Router Solicitations to send until assuming no routers are present.
## This is a host and not router
net.ipv6.conf.default.router_solicitations = 2

## Router advertisements can cause the system to assign a global 
## unicast address to an interface
## Turn on/off below (default is 1, on)
#net.ipv6.conf.default.autoconf = 0
## How many global unicast IPv6 addresses can be assigned to each interface?
#net.ipv6.conf.all.max-addresses = 1
#net.ipv6.conf.default.max_addresses = 1

##Force IPv6 off
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.eth0.disable_ipv6 = 1

General networking and performance

Do not enable (uncomment) any of this unless you know what you are doing!! Be prepared to perform thorough testing and potentially break stuff!

### Disable routing
## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0

## log martian packets
#net.ipv4.conf.all.log_martians = 1

### Memory and buffer changes. See https://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php {{Dead link}} for more information.
## Increase maximum amount of memory allocated to shm
#kernel.shmmax = 1073741824 
## Improve file system performance 
#vm.bdflush = 100 1200 128 512 15 5000 500 1884 2 
## This will increase the amount of memory available for socket input/output queues 
#net.ipv4.tcp_rmem = 4096 87380 524288  
#net.core.rmem_max = 1048576 
#net.core.rmem_default = 524288 
#net.ipv4.tcp_wmem = 4096 65536 524288
#net.core.wmem_max = 1048576
#net.core.wmem_default = 524288 
#net.core.optmem_max = 25165824

## Increase system file descriptor limit    
fs.file-max = 65535

## Allow for more PID's
kernel.pid_max = 65536

## Swapping too much or not enough? Disks spinning up when you'd
## rather they didn't? Tweak these.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60

## Set small dirty bytes values (overcomes random short system freezes)
## If you uncomment the below, it is set to 4MB
#vm.dirty_background_bytes = 4194304
#vm.dirty_bytes = 4194304

## reuse/recycle time-wait sockets (this is often needed on busy servers)
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1

## Controls the number of syn retries (default is 6)
#net.ipv4.tcp_syn_retries = 3
## Controls the number of tcp syn-ack retries (default is 5)
#net.ipv4.tcp_synack_retries = 3

## Change the time default value for tcp_fin_timeout connection 
## (i.e. time to hold socket in FIN-WAIT-2 if it was closed by us)
## Default is 60 seconds
#net.ipv4.tcp_fin_timeout = 15 
## Decrease the time default value for tcp_keepalive_time connection
## (i.e. how often to send TCP keepalive message)
## Default is 2 hours! 
#net.ipv4.tcp_keepalive_time = 360 
## Turn on tcp_window_scaling 
#net.ipv4.tcp_window_scaling = 1 
## Turn on the tcp_sack 
#net.ipv4.tcp_sack = 1 
## tcp_fack should be on because of sack 
#net.ipv4.tcp_fack = 1 

## Set the port range used for outgoing connections
#net.ipv4.ip_local_port_range = 1200    65000

## the number of packets to queue on input when they arrive faster
## than they can be processed by the kernel (the socket queue)
#net.core.netdev_max_backlog = 3000

## Maximum number of remembered connection requests which have not
## received an ack from connecting client.  Increases in proportion
## to available memory.  Set it manually below
#net.ipv4.tcp_max_syn_backlog = 1000

#Don't penalize programs for using split locks. Marginally speeds up the steam and Google Chrome flatpaks.
kernel.split_lock_mitigate = 0

Security

## Disable magic-sysrq key
kernel.sysrq = 0

## Restrict dmesg access to root
kernel.dmesg_restrict = 1

## optionally, ignore all echo requests
## this is NOT recommended, as it ignores echo requests on localhost as well
#net.ipv4.icmp_echo_ignore_all = 1

## Don't expose kernel memory addresses in procfs
kernel.kptr_restrict = 2

## Restrict access to kernel performance events
kernel.perf_event_paranoid = 2

## Restrict unprivileged access to eBPF
kernel.unprivileged_bpf_disabled = 1

## Enable JIT hardening techniques for eBPF
net.core.bpf_jit_harden = 2

## Disable core dumps
kernel.core_pattern=|/bin/false

## Restrict access to the ptrace() syscall
## a value of 3 disables ptrace() entirely
kernel.yama.ptrace_scope = 2

## Increase bits of entropy for ASLR
## these values are compatible with x86, but other archs may differ
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

# Heavily restrict writing to FIFOs; they must be owned, not in sticky dirs...                                                                                                                                                                       
fs.protected_fifos = 2
# don't allow O_CREAT open on regular files that we don't own in world/group writable sticky directories,
# unless they are owned by the owner of the directory.
fs.protected_regular = 2