{"id":1543,"date":"2017-05-26T10:10:01","date_gmt":"2017-05-26T14:10:01","guid":{"rendered":"https:\/\/easy-admin.ca\/?p=1543"},"modified":"2017-05-26T10:10:01","modified_gmt":"2017-05-26T14:10:01","slug":"hardened-kernel-variables-etcsysctl-conf","status":"publish","type":"post","link":"https:\/\/easy-admin.ca\/index.php\/2017\/05\/26\/hardened-kernel-variables-etcsysctl-conf\/","title":{"rendered":"Hardened Kernel Variables ( \/etc\/sysctl.conf )"},"content":{"rendered":"

# Controls the System Request debugging functionality of the kernel
\nkernel.sysrq = 0<\/p>\n

# Controls whether core dumps will append the PID to the core filename.
\n# Useful for debugging multi-threaded applications.
\nkernel.core_uses_pid = 1<\/p>\n

#Prevent SYN attack
\nnet.ipv4.tcp_syncookies = 1
\nnet.ipv4.tcp_max_syn_backlog = 2048
\nnet.ipv4.tcp_synack_retries = 2<\/p>\n

# Disables IP source routing
\nnet.ipv4.conf.lo.accept_source_route = 0
\nnet.ipv4.conf.eth0.accept_source_route = 0
\nnet.ipv4.conf.default.accept_source_route = 0<\/p>\n

# Enable IP spoofing protection, turn on source route verification
\nnet.ipv4.conf.eth0.rp_filter = 1<\/p>\n

# Disable ICMP Redirect Acceptance
\nnet.ipv4.conf.lo.accept_redirects = 0
\nnet.ipv4.conf.eth0.accept_redirects = 0
\nnet.ipv4.conf.default.accept_redirects = 0<\/p>\n

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
\nnet.ipv4.conf.lo.log_martians = 1
\nnet.ipv4.conf.eth0.log_martians = 1<\/p>\n

# Disables IP source routing
\nnet.ipv4.conf.lo.accept_source_route = 0
\nnet.ipv4.conf.eth0.accept_source_route = 0
\nnet.ipv4.conf.default.accept_source_route = 0<\/p>\n

# Enable IP spoofing protection, turn on source route verification
\nnet.ipv4.conf.eth0.rp_filter = 1<\/p>\n

# Disable ICMP Redirect Acceptance
\nnet.ipv4.conf.lo.accept_redirects = 0
\nnet.ipv4.conf.eth0.accept_redirects = 0
\nnet.ipv4.conf.default.accept_redirects = 0<\/p>\n

# Modify system limits for Ensim WEBppliance
\nfs.file-max = 65000<\/p>\n

# Decrease the time default value for tcp_fin_timeout connection
\nnet.ipv4.tcp_fin_timeout = 15<\/p>\n

# Decrease the time default value for tcp_keepalive_time connection
\nnet.ipv4.tcp_keepalive_time = 1800<\/p>\n

# Turn off the tcp_window_scaling
\nnet.ipv4.tcp_window_scaling = 0<\/p>\n

# Turn off the tcp_sack ( Need to turn on for traffic to internet)
\n#net.ipv4.tcp_sack = 0<\/p>\n

# Turn off the tcp_timestamps
\nnet.ipv4.tcp_timestamps = 0<\/p>\n

# Enable TCP SYN Cookie Protection
\nnet.ipv4.tcp_syncookies = 1<\/p>\n

# Set maximum amount of memory allocated to shm to 256MB
\nkernel.shmmax = 268435456<\/p>\n

# Increase the maximum total TCP buffer-space allocatable
\nnet.ipv4.tcp_mem = 57344 57344 65536<\/p>\n

# Increase the maximum TCP write-buffer-space allocatable
\nnet.ipv4.tcp_wmem = 32768 65536 524288<\/p>\n

# Increase the maximum TCP read-buffer space allocatable
\nnet.ipv4.tcp_rmem = 98304 196608 1572864<\/p>\n

# Increase the maximum and default receive socket buffer size
\nnet.core.rmem_max = 524280
\nnet.core.rmem_default = 524280<\/p>\n

# Increase the maximum and default send socket buffer size
\nnet.core.wmem_max = 524280
\nnet.core.wmem_default = 524280<\/p>\n

# Increase the tcp-time-wait buckets pool size
\nnet.ipv4.tcp_max_tw_buckets = 1440000<\/p>\n

# Allowed local port range
\nnet.ipv4.ip_local_port_range = 16384 65536<\/p>\n

# Increase the maximum memory used to reassemble IP fragments
\nnet.ipv4.ipfrag_high_thresh = 512000
\nnet.ipv4.ipfrag_low_thresh = 446464<\/p>\n

# Increase the maximum amount of option memory buffers
\nnet.core.optmem_max = 57344<\/p>\n","protected":false},"excerpt":{"rendered":"

# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 #Prevent SYN attack net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 # Disables IP source routing net.ipv4.conf.lo.accept_source_route = 0 … Continue reading Hardened Kernel Variables ( \/etc\/sysctl.conf )<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"slim_seo":{"title":"Hardened Kernel Variables ( \/etc\/sysctl.conf ) - HP Server","description":"# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # U"},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1543","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/1543","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1543"}],"version-history":[{"count":0,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/1543\/revisions"}],"wp:attachment":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1543"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1543"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1543"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}