External/sysctl
1
0
Fork 0
mirror of https://github.com/k4yt3x/sysctl.git synced 2025-12-17 09:46:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
sysctl/sysctl.conf
k4yt3x 45533b68d4
feat: change qdisc to fq_codel for modern Linux kernels 
Signed-off-by: k4yt3x <i@k4yt3x.com>
2025-10-31 00:00:00 +00:00

333 lines
12 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Name: K4YT3X's Hardened & Optimized Linux Kernel Parameters
# Author: K4YT3X
# Contributor: IceCodeNew
# Contributor: HorlogeSkynet
# Contributor: shenzhui007
# Date Created: October 5, 2020
# Last Updated: October 19, 2025
# Licensed under the GNU General Public License Version 3 (GNU GPL v3),
# available at: https://www.gnu.org/licenses/gpl-3.0.txt
# Copyright 2020-2025 K4YT3X and contributors.
# Multiple sources have been consulted while writing this configuration
# file (e.g., nixCraft's sysctl.conf). Some sources may not have been cited.
# Please refer to Linux's kernel documentations or reach out to the author
# should you have any questions or recommendations.
########## Kernel ##########
# enable ExecShield protection
# 2 enables ExecShield by default unless applications bits are set to disabled
# uncomment on systems without NX/XD protections
# check with: dmesg | grep --color '[NX|DX]*protection'
#kernel.exec-shield = 2
# enable ASLR
# turn on protection and randomize stack, vdso page and mmap + randomize brk base address
kernel.randomize_va_space = 2
# controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# controls whether core dumps will append the PID to the core filename
# useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# restrict access to kernel address
# kernel pointers printed using %pK will be replaced with 0s regardless of privileges
kernel.kptr_restrict = 2
# Ptrace protection using Yama
# - 0 (classic): allows any process to trace any other process under the same UID
# - 1 (restricted): only a parent process can be debugged
# - 2 (admin-only): only admins can use ptrace (CAP_SYS_PTRACE capability required)
# - 3 (no attach): disables ptrace completely, reboot is required to re-enable ptrace
# the general recommendation for this setting is:
# - if you do not need to debug programs, set it to 3
# - if you need to debug programs (e.g., GDB, LLDB, strace), set it to 1
# setting it to 3 will also break LXC v6+ procfs emulation for unprivileged containers
# (see GitHub issue https://github.com/lxc/lxcfs/issues/636)
kernel.yama.ptrace_scope = 3
# restrict kernel logs to root only
kernel.dmesg_restrict = 1
# restrict BPF JIT compiler to root only
kernel.unprivileged_bpf_disabled = 1
# disables kexec as it can be used to livepatch the running kernel
kernel.kexec_load_disabled = 1
# disable unprivileged user namespaces to reduce attack surface
# breaks unprivileged containers and sandboxing applications (e.g., Firefox and Docker)
#kernel.unprivileged_userns_clone = 0
#user.max_user_namespaces = 0
# disable the loading of kernel modules
# this can be used to prevent runtime insertion of malicious modules
# could break the system if enabled within sysctl.conf
# consider setting this manually after system is up
# sudo sysctl -w kernel.modules_disabled=1
#kernel.modules_disabled = 1
# allow for more PIDs
# this value can be up to:
# - 32768 (2^15) on a 32-bit system
# - 4194304 (2^22) on a 64-bit system
kernel.pid_max = 4194304
# reboot machine after kernel panic
#kernel.panic = 10
# reboot after just one kernel warning/oops
#kernel.warn_limit = 1
#kernel.oops_limit = 1
# restrict perf subsystem usage
kernel.perf_event_paranoid = 3
kernel.perf_cpu_time_max_percent = 1
kernel.perf_event_max_sample_rate = 1
# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl
dev.tty.ldisc_autoload = 0
# disable TIOCSTI which can be used to inject keypresses
# breaks screen readers
dev.tty.legacy_tiocsti = 0
# block all newly connected USB devices
#kernel.deny_new_usb=1
########## File System ##########
# disallow core dumping by SUID/SGID programs
fs.suid_dumpable = 0
# protect the creation of hard links
# one of the following conditions must be fulfilled
# - the user can only link to files that he or she owns
# - the user must first have read and write access to a file, that he/she wants to link to
fs.protected_hardlinks = 1
# protect the creation of symbolic links
# one of the following conditions must be fulfilled
# - the process following the symbolic link is the owner of the symbolic link
# - the owner of the directory is also the owner of the symbolic link
fs.protected_symlinks = 1
# enable extended FIFO protection
fs.protected_fifos = 2
# similar to protected_fifos, but it avoids writes to an attacker-controlled regular file
fs.protected_regular = 2
# increase system file descriptor limit
# this value can be up to:
# - 2147483647 (0x7fffffff) on a 32-bit system
# - 9223372036854775807 (0x7fffffffffffffff) on a 64-bit system
# be aware that the Linux kernel documentation suggests that inode-max should be 3-4 times
# larger than this value
fs.file-max = 9223372036854775807
# increase the amount of files that can be watched
# each file watch handle takes 1080 bytes
# up to 540 MiB of memory will be consumed if all 524288 handles are used
fs.inotify.max_user_watches = 524288
########## Virtualization ##########
# do not allow mmap in lower addresses
vm.mmap_min_addr = 65536
# improve mmap ASLR effectiveness
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16
# prevent unprivileged users from accessing userfaultfd
# restricts syscall to the privileged users or the CAP_SYS_PTRACE capability
vm.unprivileged_userfaultfd = 0
########## Networking ##########
# increase the maximum length of processor input queues
net.core.netdev_max_backlog = 250000
# enable BPF JIT hardening for all users
# this trades off performance, but can mitigate JIT spraying
net.core.bpf_jit_harden = 2
# increase TCP max buffer size settable using setsockopt()
net.core.rmem_default = 8388608
net.core.wmem_default = 8388608
net.core.rmem_max = 536870912
net.core.wmem_max = 536870912
net.core.optmem_max = 40960
########## IPv4 Networking ##########
# enable BBR congestion control and FQ-CoDel queuing discipline
net.ipv4.tcp_congestion_control = bbr
net.core.default_qdisc = fq_codel
# disallow IPv4 packet forwarding
net.ipv4.ip_forward = 0
# enable SYN cookies for SYN flooding protection
net.ipv4.tcp_syncookies = 1
# number of times SYNACKs for a passive TCP connection attempt will be retransmitted
net.ipv4.tcp_synack_retries = 5
# do not send redirects
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# do not accept packets with SRR option
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
# enable reverse path source validation (BCP38)
# refer to RFC1812, RFC2827, and BCP38 (http://www.bcp38.info)
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# log packets with impossible addresses to kernel log
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.log_martians = 1
# do not accept ICMP redirect messages
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
# disable sending and receiving of shared media redirects
# this setting overwrites net.ipv4.conf.all.secure_redirects
# refer to RFC1620
net.ipv4.conf.default.shared_media = 0
net.ipv4.conf.all.shared_media = 0
# always use the best local address for announcing local IP via ARP
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.all.arp_announce = 2
# reply only if the target IP address is local address configured on the incoming interface
net.ipv4.conf.default.arp_ignore = 1
net.ipv4.conf.all.arp_ignore = 1
# drop Gratuitous ARP frames to prevent ARP poisoning
# this can cause issues when ARP proxies are used in the network
net.ipv4.conf.default.drop_gratuitous_arp = 1
net.ipv4.conf.all.drop_gratuitous_arp = 1
# ignore all ICMP echo requests
#net.ipv4.icmp_echo_ignore_all = 1
# ignore all ICMP echo and timestamp requests sent to broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
# mitigate TIME-WAIT Assassination hazards in TCP
# refer to RFC1337
net.ipv4.tcp_rfc1337 = 1
# disable TCP window scaling
# this makes the host less susceptible to TCP RST DoS attacks
# could drastically reduce throughput if latency is high
#net.ipv4.tcp_window_scaling = 0
# increase system IP port limits
net.ipv4.ip_local_port_range = 1024 65535
# TCP timestamps could provide protection against wrapped sequence numbers,
# but the host's uptime can be calculated precisely from its timestamps
# it is also possible to differentiate operating systems based on their use of timestamps
# - 0: disable TCP timestamps
# - 1: enable timestamps as defined in RFC1323 and use random offset for
# each connection rather than only using the current time
# - 2: enable timestamps without random offsets
net.ipv4.tcp_timestamps = 0
# enabling SACK can improve congestion control and throughput
# but it could also be leveraged to exhaust system resources
# re-enable SACK if you experience performance issues transferring large files
net.ipv4.tcp_sack = 0
net.ipv4.tcp_dsack = 0
net.ipv4.tcp_fack = 0
# SSR could impact TCP's performance on a fixed-speed network (e.g., wired)
# but it could be helpful on a variable-speed network (e.g., LTE)
# uncomment this if you are on a fixed-speed network
net.ipv4.tcp_slow_start_after_idle = 0
# enabling MTU probing helps mitigating PMTU blackhole issues
# this may not be desirable on congested networks
net.ipv4.tcp_mtu_probing = 1
net.ipv4.tcp_base_mss = 1024
# increase memory thresholds to prevent packet dropping
# the maximum buffer size is 536870912 bytes (512 MiB)
net.ipv4.tcp_rmem = 8192 262144 536870912
net.ipv4.tcp_wmem = 4096 16384 536870912
# reduce the maximum window size to 128 MiB to reduce TCP receive queue collapse
# (see https://blog.cloudflare.com/optimizing-tcp-for-high-throughput-and-low-latency)
net.ipv4.tcp_adv_win_scale = -2
# limit the size of unsent bytes in the write queue to prevent bufferbloat
net.ipv4.tcp_notsent_lowat = 131072
########## IPv6 Networking ##########
# disallow IPv6 packet forwarding
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
# number of Router Solicitations to send until assuming no routers are present
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.all.router_solicitations = 0
# do not accept Router Preference from RA
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 0
# learn prefix information in router advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
# setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
# router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.autoconf = 0
# number of neighbor solicitations to send out per address
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.all.dad_transmits = 0
# number of global unicast IPv6 addresses can be assigned to each interface
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.all.max_addresses = 1
# enable IPv6 Privacy Extensions (RFC3041) and prefer the temporary address
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
# ignore IPv6 ICMP redirect messages
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# do not accept packets with SRR option
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
# ignore all ICMPv6 echo requests
#net.ipv6.icmp.echo_ignore_all = 1
#net.ipv6.icmp.echo_ignore_anycast = 1
#net.ipv6.icmp.echo_ignore_multicast = 1
Reference in New Issue View Git Blame Copy Permalink