Kernel Sysctl Configuration for Linux

Linux security and performance tuning with sysctl.

Below is the content of /etc/sysctl.conf that I use on a CentOS 6 server.

# Kernel sysctl configuration file for Linux
#
# By: www.lisenet.com
#
# Tested on a Red Hat server with physical memory of 2GB
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.
#
# References
# https://www.suse.com/documentation/sles-12/book_hardening/data/sec_sec_prot_general_kernel.html
# https://wiki.archlinux.org/index.php/Sysctl
# https://rtcamp.com/tutorials/linux/sysctl-conf/
# http://seriousbirder.com/blogs/centos-6-setting-shmmax-and-shmall-kernel-paramaters/
# http://kaivanov.blogspot.co.uk/2010/09/linux-tcp-tuning.html

# Any process which has changed privilege levels
# or is execute only will not be dumped (default)
fs.suid_dumpable = 0

# File handle limit
fs.file-max=6577347

########################################
###          Memory Tuning           ###
########################################

# Use swap file when RAM usage is around 40 percent
vm.swappiness = 60

# Controls the maximum number of shared memory segments, in pages (not bytes)
# It is almost always 4K which is the recommended size
# To be safe, run the following command:
# getconf PAGE_SIZE => 4096
# Allocating 1GB below (1*1024*1024*1024/4096=262144)
kernel.shmall = 262144

# Control the maximum size of a single shared memory segment, in bytes
# Setting to half (1GB) of our physical memory
kernel.shmmax = 1073741824

########################################
###         Kernel Hardening         ###
########################################

# Reboot a system after 10 seconds of kernel panic
kernel.panic = 10

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Restricting access to kernel logs
kernel.dmesg_restrict = 1

# If you're compiling your own kernel, then
# this can help mitigating local root exploits
kernel.kptr_restrict = 1

# Controls the default maxmimum size of a message queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Enable ExecShield protection
kernel.exec-shield = 1
# Enable by default, except if the application bits are set to "disable"
kernel.randomize_va_space = 2

# Default
kernel.pid_max = 32768

# Increase the length of the processor input queue
net.core.netdev_max_backlog = 5000

# The maximum number of "backlogged sockets". Default
net.core.somaxconn = 128

# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0

########################################
###      TCP/IP Stack Hardening      ###
########################################

# Controls IP packet forwarding.
# Set this value to 1 to turn the server into a router
net.ipv4.ip_forward = 0

# Disable fast recycling of TIME_WAIT sockets.
# Enabling fast recycling of TIME_WAIT sockets is usually
# a bad idea as it will cause you a lot of problems when working with NAT
net.ipv4.tcp_tw_recycle = 0

# Do not allow reuse of sockets in TIME_WAIT state for new connections
net.ipv4.tcp_tw_reuse = 0

# Help prevent against SYN flood attacks
net.ipv4.tcp_syncookies = 1

# If set to 0, protect against wrapping sequence numbers.
# Turning off timestamps may do more harm than good, see below.
# TCP timestamps are used to improve performance as well as protect 
# against late packets messing up your data flow. If you disable TCP timestamps 
# you should expect worse performance and less reliable connections.
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_sack = 1

# Enable windows scaling
net.ipv4.tcp_window_scaling = 1
# Maximum receive and send window size 16MB
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# Increase the read-buffer and write-buffer space allocatable
# Autotuning TCP buffer limit 16MB
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

# Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Disable redirects, not a router
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Enable source validation by reversed path
# Protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Log packets with impossible addresses to kernel log
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Ignore all ECHO broadcast requests
# Prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1

# Allowed local port range
net.ipv4.ip_local_port_range = 9000 65535

# The minimum time sockets will stay in TIME_WAIT state
net.ipv4.tcp_fin_timeout = 60

########################################
###              IPv6                ###
########################################

# Disable IPv6 except for localhost
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Enable source validation by reversed path
# Protects from attackers that are using ip spoofing methods to do harm
net.ipv6.conf.all.rp_filter = 1

net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0

# Disable redirects, not a router
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

7 thoughts on “Kernel Sysctl Configuration for Linux

  1. Sander’s book says on rhel 7 /etc/sysctl.conf file should not be used anymore though in the video tutorial he is using it . Any idea about this?
    If /etc/sysctl.conf is not usable , what other way exist to make the tunables changed through sysctl permanent?

    • Create .conf file in /etc/sysctl.d/ directory. It should be mentioned in the sysctl.conf file if you read it.

    • So, in the do i have to create a .conf file file for every tunable like one for ip forward, icmp etc or i can create a single .conf file and write to all tunable to all of them.
      The /etc/sysctl.conf says “To override those settings, enter new settings here, or in an /etc/sysctl.d/.conf file” it still does not say this file should not be used.
      So what is official rule here? should it be used or not? could not find anything red hat official docs.

    • Use whichever you prefer.

      You can create one file that contains all the kernel parameters that you want to tune, or you can split them into separate files (that’s how Puppet does it). You can use both locations, however, files that are placed under /etc/sysctl.d/ will overwrite configuration which’s in sysctl.conf.

Leave a Reply

Your email address will not be published. Required fields are marked *