Linux security and performance tuning with sysctl.
sysctl.conf
Below is the content of the file /etc/sysctl.conf
that we use on a CentOS server.
# Kernel sysctl configuration file for Linux # # By: www.lisenet.com # # Tested on a Red Hat server with physical memory of 2GB # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # # References # https://www.suse.com/documentation/sles-12/book_hardening/data/sec_sec_prot_general_kernel.html # https://wiki.archlinux.org/index.php/Sysctl # https://rtcamp.com/tutorials/linux/sysctl-conf/ # http://seriousbirder.com/blogs/centos-6-setting-shmmax-and-shmall-kernel-paramaters/ # http://kaivanov.blogspot.co.uk/2010/09/linux-tcp-tuning.html # Any process which has changed privilege levels # or is execute only will not be dumped (default) fs.suid_dumpable = 0 # File handle limit fs.file-max=6577347 ######################################## ### Memory Tuning ### ######################################## # Use swap file when RAM usage is around 40 percent vm.swappiness = 60 # Controls the maximum number of shared memory segments, in pages (not bytes) # It is almost always 4K which is the recommended size # To be safe, run the following command: # getconf PAGE_SIZE => 4096 # Allocating 1GB below (1*1024*1024*1024/4096=262144) kernel.shmall = 262144 # Control the maximum size of a single shared memory segment, in bytes # Setting to half (1GB) of our physical memory kernel.shmmax = 1073741824 ######################################## ### Kernel Hardening ### ######################################## # Reboot a system after 10 seconds of kernel panic kernel.panic = 10 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 # Restricting access to kernel logs kernel.dmesg_restrict = 1 # If you're compiling your own kernel, then # this can help mitigating local root exploits kernel.kptr_restrict = 1 # Controls the default maxmimum size of a message queue kernel.msgmnb = 65536 # Controls the maximum size of a message, in bytes kernel.msgmax = 65536 # Enable ExecShield protection kernel.exec-shield = 1 # Enable by default, except if the application bits are set to "disable" kernel.randomize_va_space = 2 # Default kernel.pid_max = 32768 # Increase the length of the processor input queue net.core.netdev_max_backlog = 5000 # The maximum number of "backlogged sockets". Default net.core.somaxconn = 128 # Disable netfilter on bridges. #net.bridge.bridge-nf-call-ip6tables = 0 #net.bridge.bridge-nf-call-iptables = 0 #net.bridge.bridge-nf-call-arptables = 0 ######################################## ### TCP/IP Stack Hardening ### ######################################## # Controls IP packet forwarding. # Set this value to 1 to turn the server into a router net.ipv4.ip_forward = 0 # Disable fast recycling of TIME_WAIT sockets. # Enabling fast recycling of TIME_WAIT sockets is usually # a bad idea as it will cause you a lot of problems when working with NAT net.ipv4.tcp_tw_recycle = 0 # Do not allow reuse of sockets in TIME_WAIT state for new connections net.ipv4.tcp_tw_reuse = 0 # Help prevent against SYN flood attacks net.ipv4.tcp_syncookies = 1 # If set to 0, protect against wrapping sequence numbers. # Turning off timestamps may do more harm than good, see below. # TCP timestamps are used to improve performance as well as protect # against late packets messing up your data flow. If you disable TCP timestamps # you should expect worse performance and less reliable connections. net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_sack = 1 # Enable windows scaling net.ipv4.tcp_window_scaling = 1 # Maximum receive and send window size 16MB net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 # Increase the read-buffer and write-buffer space allocatable # Autotuning TCP buffer limit 16MB net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 # Do not accept source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Disable redirects, not a router net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # Enable source validation by reversed path # Protects from attackers that are using ip spoofing methods to do harm net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Log packets with impossible addresses to kernel log net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # Ignore all ECHO broadcast requests # Prevent being part of smurf attacks net.ipv4.icmp_echo_ignore_broadcasts = 1 # Ignore bogus ICMP errors net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_ignore_bogus_error_messages = 1 # Allowed local port range net.ipv4.ip_local_port_range = 9000 65535 # The minimum time sockets will stay in TIME_WAIT state net.ipv4.tcp_fin_timeout = 60 ######################################## ### IPv6 ### ######################################## # Disable IPv6 except for localhost net.ipv6.conf.lo.disable_ipv6 = 0 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 # Enable source validation by reversed path # Protects from attackers that are using ip spoofing methods to do harm net.ipv6.conf.all.rp_filter = 1 net.ipv6.conf.all.accept_ra = 0 net.ipv6.conf.default.accept_ra = 0 # Disable redirects, not a router net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0
Available Values and Documentation
To display all values that are currently available, do the following:
# sysctl -a
To get more information on the possible settings, we need to install the package containing kernel documentation files:
# yum info kernel-doc
Once the package is installed, documentation should be available here:
/usr/share/doc/kernel-doc-kernel_version/Documentation/
For example, to find out the meaning of ip_forward, we would need to look at the following networking-related kernel documentation file:
/usr/share/doc/kernel-doc-3.10.0/Documentation/networking/ip-sysctl.txt
It may be tricky to find information if we are unsure of which file to look at, therefore the fastest way would likely be to grep for a kernel parameter we are interested in.
Hi, which of the kernel parameters turn the server into a router?
This one: net.ipv4.ip_forward=1
thanks Tomas
Sander’s book says on rhel 7 /etc/sysctl.conf file should not be used anymore though in the video tutorial he is using it . Any idea about this?
If /etc/sysctl.conf is not usable , what other way exist to make the tunables changed through sysctl permanent?
Create
.conf
file in/etc/sysctl.d/
directory. It should be mentioned in thesysctl.conf
file if you read it.So, in the do i have to create a .conf file file for every tunable like one for ip forward, icmp etc or i can create a single .conf file and write to all tunable to all of them.
The /etc/sysctl.conf says “To override those settings, enter new settings here, or in an /etc/sysctl.d/.conf file” it still does not say this file should not be used.
So what is official rule here? should it be used or not? could not find anything red hat official docs.
Use whichever you prefer.
You can create one file that contains all the kernel parameters that you want to tune, or you can split them into separate files (that’s how Puppet does it). You can use both locations, however, files that are placed under
/etc/sysctl.d/
will overwrite configuration which’s insysctl.conf
.in video Sander is using /etc/sysctl.com since he didn’t record video for RHEL 7, and reusing it from RHEL 6.
probably time limits
Thanks for the update.
With this command:
# sysctl -a
It displays all the tuneables.
how do we check some descriptions for all turntables. as this command does not display any thing in description.
this description might help us during exam.
This is an excellent question! Kernel documentation contains descriptions for tunable parameters. I have updated the article to reflect this.
The kernel-doc package doesn’t seem to be on the 7.0 installation media, so I’m not sure if it will be available during the exam.
Still mystery. :)