====== Linux sysctl options ======
===== Optimized sysctl =====
# the following stops low-level messages on console
kernel.printk = 4 4 1 7
# enable /proc/$pid/maps privacy so that memory relocations are not
# visible to other users. (Added in kernel 2.6.22.)
kernel.maps_protect = 1
# Increase inotify availability
fs.inotify.max_user_watches = 524288
# protect bottom 64k of memory from mmap to prevent NULL-dereference
# attacks against potential future kernel security vulnerabilities.
# (Added in kernel 2.6.23.)
vm.mmap_min_addr = 65536
##############################################################3
# Functions previously found in netbase
#
# Comment the next two lines to disable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# Uncomment the next line to enable TCP/IP SYN cookies
# This disables TCP Window Scaling (http://lkml.org/lkml/2008/2/5/167)
net.ipv4.tcp_syncookies = 1
# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward = 1
# Uncomment the next line to enable packet forwarding for IPv6
net.ipv6.ip_forward=0
###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Ignore ICMP broadcasts
net/ipv4/icmp_echo_ignore_broadcasts = 1
#
# Ignore bogus ICMP errors
net/ipv4/icmp_ignore_bogus_error_responses = 1
#
# Do not accept ICMP redirects (prevent MITM attacks)
net/ipv4/conf/all/accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
net/ipv4/conf/all/secure_redirects = 0
#
# Do not send ICMP redirects (we are not a router)
net/ipv4/conf/all/send_redirects = 1
# Do not accept IP source route packets (we are not a router)
net/ipv4/conf/all/accept_source_route = 1
# tcp/ip tweak - window size
net.core.wmem_max = 262144
net.core.rmem_max = 262144
net.core.wmem_default = 262144
net.core.rmem_default = 262144
#
# Log Martian Packets
net/ipv4/conf/all/log_martians = 1
# Always defragment packets
net/ipv4/ip_always_defrag = 1
### tnt.aufbix.org tips
#default#vm/page-cluster = 3
vm.page-cluster = 6
#default#net.ipv4.ipfrag_time = 30
net.ipv4.ipfrag_time = 30
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
# Linux 2.6 has only 32Mb shared memory
kernel.shmmax = 67108864
kernel.random.poolsize = 8192
# reboot on panic
kernel.panic = 5
**TNT's default sysctl.conf**
Download {{linux:sysctl.conf}}
==== Linux as dedicated server ====
FIXME
* [[:linux:sysctl:26netipv4|/proc/net/ipv4]]
* [[http://dsd.lbl.gov/TCP-tuning/linux.html|Linux TCP tunning]]
==== Linux as router ====
- The ARP behaviour can be fixed by using **''arp_ignore''** and **''arp_announce''** on the WAN interface:
- If you have multiple interfaces on the same subnet, you may also want to enable **''arp_filter''**
* This prevents the ARP entry for an interface to fluctuate between two or more MAC addresses. However, you need to use source routing to make this work correctly. From the //Documentation/networking/ip-sysctl-2.6.txt// file in the kernel source
- The ARP cache timeout on Linux-based routers should be changed from the default, especially if you have a large number of peers. This parameter can be tuned by setting the appropriate procfs variable through the sysctl interface
* **change it so it's between 2 and 6 hours, and not 30 min as default.**
- You may need to turn off the //Reverse Path Filter// (''**rp_filter**'') functionality on a Linux-based router to allow asymmetric routing, particularly on your WAN interface.
''**/etc/sysctl.conf**''
# These settings should be duplicated for all interfaces that are
# on a peering LAN.
### Typical stuff you really want on a router
# Fix the "promiscuous ARP" thing...
net/ipv4/conf/ifname/arp_ignore=1
net/ipv4/conf/ifname/arp_announce=1
# Turn off RP filtering to allow asymmetric routing:
net/ipv4/conf/ifname/rp_filter=0
# Multiple (non-aggregated) interfaces on the same peering LAN.
# READ THE MANUAL FIRST!
#net/ipv4/conf/ifname/arp_filter=1
### Keep the AMS-IX ARP Police happy. :-)
net/ipv4/neigh/ifname/base_reachable_time=14400
net/ipv6/neigh/ifname/base_reachable_time=14400
===== Misc add-on options on good to know bases =====
==== Reboot on kernel panic ====
kernel.panic = 0
^ argv ^ comment ^
| 0 | won't reboot on kernel panic |
| n | number of seconds to wait before reboot |
==== Linux 2.6 has only 32Mb shared memory ====
kernel.shmmax = 67108864
==== ip_conntrack: maximum limit of XXX entries exceeded ====
If you notice the following message in syslog, it looks like the conntrack database doesn't have enough entries for your environment. Connection tracking by default handles up to a certain number of simultaneous connections. This number is dependent on you system's maximum memory size (at 64MB: 4096, 128MB: 8192, ...).
You can easily increase the number of maximal tracked connections, but be **aware that each tracked connection eats about 350 bytes of non-swappable kernel memory!** ''Your kernel will crash for sure, althouh routing/forwarding should still be "working".''
To increase this limit to e.g. 8192, type:
echo "8192" > /proc/sys/net/ipv4/ip_conntrack_max
To optimize performance, please also raise the number of hash buckets by using the hashsize module loadtime parameter of the ip_conntrack.o module. Please note that due to the nature of the current hashing algorithm, an even hash bucket count (and esp. values of the power of two) are a bad choice.
Example (with 1023 buckets):
modprobe ip_conntrack hashsize=1023
[[http://www.netfilter.org/documentation/FAQ/netfilter-faq.html#toc3.7]]
===== GrSecurity options =====
{{page>linux:grsec#sysctl}}
About GrSecurity see [[linux:grsec#sysctl|this page]]