Sysctl.conf

From Alpine Linux
Revision as of 20:36, 18 November 2013 by Ginjachris (talk | contribs) (Created page with "Sysctl.conf is the configurstion file at /etc/sysctl.conf for [http://linux.die.net/man/8/sysctl sysctl] and is used to configure kernel parameters at boot time. You can also...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Sysctl.conf is the configurstion file at /etc/sysctl.conf for sysctl and is used to configure kernel parameters at boot time. You can also load the configuration file with

sysctl -p

or simply with a reboot.

This article is not an exhaustive list but covers some of the main points. You may, of course, wish to change some settings to suite your environment:

IPv6

Although IPv6 is Configure_Networking configured in /etc/network/interfaces more advanced options are configured in /etc/sysctl.conf:

## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2

####Turn off Routing####
## if not functioning as a router, there is no need to accept redirects or source routes
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
## if not functioning as a router, disable packet forwarding
net.ipv6.conf.all.forwarding = 0
## Number of Router Solicitations to send until assuming no routers are present.
## This is a host and not router
net.ipv6.conf.default.router_solicitations = 2

## Router advertisements can cause the system to assign a global unicast address to an interface
## Turn on/off below (default is 0, off)
#net.ipv6.conf.default.autoconf = 0
## How many global unicast IPv6 addresses can be assigned to each interface?
#net.ipv6.conf.all.max-addresses = 1
#net.ipv6.conf.default.max_addresses = 1

General networking and performance

### Do not enable (uncomment) any of the next section unless you know what you are doing!!
## Increase maximum amount of memory allocated to shm
#kernel.shmmax = 1073741824 
## Improve file system performance 
#vm.bdflush = 100 1200 128 512 15 5000 500 1884 2 
## This will increase the amount of memory available for socket input/output queues 
#net.ipv4.tcp_rmem = 4096 87380 524288  
#net.core.rmem_max = 1048576 
#net.core.rmem_default = 524288 
#net.ipv4.tcp_wmem = 44096 65536 524288
#net.core.wmem_max = 1048576
#net.core.wmem_default = 524288 
#net.core.optmem_max = 25165824

## Increase system file descriptor limit    
fs.file-max = 65535


Security

Lots of really cool things can be configured in /etc/sysctl.conf:

## Prevent CVE-2013-2094
kernel.perf_event_paranoid = 2

## Help prevent TOCTOU vulnerabilities - these attacks can likely never be fully prevented
## (see https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=800179c9b8a1e796e441674776d11cd4c05d61d7)
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

## Disable magic-sysrq key
kernel.sysrq = 0

## TCP SYN cookie protection
## helps protect against SYN flood attacks but apparently breaks RFC's
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies = 1

## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1

## source address verification (sanity checking) as specified in RFC1812
## helps protect against spoofing attacks
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

## ignore echo broadcast requests to prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1
## optionally, ignore all echo requests
## this is NOT recommended, as it ignores echo requests on localhost as well
#net.ipv4.icmp_echo_ignore_all = 1

## ignore bogus icmp errors
net.ipv4.icmp_ignore_bogus_error_responses = 1

## ICMP routing redirects (only secure)
#net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1