Kernel Sysctl Configuration for Linux

Linux security and performance tuning with sysctl.

Below is the content of /etc/sysctl.conf that I use on a CentOS 6 server.

# Kernel sysctl configuration file for Linux
#
# By: www.lisenet.com
#
# Tested on a Red Hat server with physical memory of 2GB
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.
#
# References
# https://www.suse.com/documentation/sles-12/book_hardening/data/sec_sec_prot_general_kernel.html
# https://wiki.archlinux.org/index.php/Sysctl
# https://rtcamp.com/tutorials/linux/sysctl-conf/
# http://seriousbirder.com/blogs/centos-6-setting-shmmax-and-shmall-kernel-paramaters/
# http://kaivanov.blogspot.co.uk/2010/09/linux-tcp-tuning.html

# Any process which has changed privilege levels
# or is execute only will not be dumped (default)
fs.suid_dumpable = 0

# File handle limit
fs.file-max=6577347

########################################
###          Memory Tuning           ###
########################################

# Use swap file when RAM usage is around 40 percent
vm.swappiness = 60

# Controls the maximum number of shared memory segments, in pages (not bytes)
# It is almost always 4K which is the recommended size
# To be safe, run the following command:
# getconf PAGE_SIZE => 4096
# Allocating 1GB below (1*1024*1024*1024/4096=262144)
kernel.shmall = 262144

# Control the maximum size of a single shared memory segment, in bytes
# Setting to half (1GB) of our physical memory
kernel.shmmax = 1073741824

########################################
###         Kernel Hardening         ###
########################################

# Reboot a system after 10 seconds of kernel panic
kernel.panic = 10

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Restricting access to kernel logs
kernel.dmesg_restrict = 1

# If you're compiling your own kernel, then
# this can help mitigating local root exploits
kernel.kptr_restrict = 1

# Controls the default maxmimum size of a mesage queue
kernel.msgmnb = 65536

# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536

# Enable ExecShield protection
kernel.exec-shield = 1
# Enable by default, except if the application bits are set to "disable"
kernel.randomize_va_space = 2

# Default
kernel.pid_max = 32768

# Increase the length of the processor input queue
net.core.netdev_max_backlog = 5000

# The maximum number of "backlogged sockets". Default
net.core.somaxconn = 128

# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0

########################################
###      TCP/IP Stack Hardening      ###
########################################

# Controls IP packet forwarding.
# Set the value to 1 to turn the server into a router
net.ipv4.ip_forward = 0

# Disable fast recycling of TIME_WAIT sockets.
# Enabling fast recycling of TIME_WAIT sockets is usually
# a bad idea as it will cause you a lot of problems when working with NAT
net.ipv4.tcp_tw_recycle = 0

# Do not allow reuse of sockets in TIME_WAIT state for new connections
net.ipv4.tcp_tw_reuse = 0

# Help prevent against SYN flood attacks
net.ipv4.tcp_syncookies = 1

# If set to 0, protect against wrapping sequence numbers
# Turning off timestamps may do more harm than good
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_sack = 1

# Enable windows scaling
net.ipv4.tcp_window_scaling = 1
# Maximum receive and send window size 16MB
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# Increase the read-buffer and write-buffer space allocatable
# Autotuning TCP buffer limit 16MB
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

# Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Disable redirects, not a router
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Enable source validation by reversed path
# Protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Log packets with impossible addresses to kernel log
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Ignore all ECHO broadcast requests
# Prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1

# Allowed local port range
net.ipv4.ip_local_port_range = 9000 65535

# The minimum time sockets will stay in TIME_WAIT state
net.ipv4.tcp_fin_timeout = 60

########################################
###              IPv6                ###
########################################

# Disable IPv6 except for localhost
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Enable source validation by reversed path
# Protects from attackers that are using ip spoofing methods to do harm
net.ipv6.conf.all.rp_filter = 1

net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0

# Disable redirects, not a router
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

3 thoughts on “Kernel Sysctl Configuration for Linux

Leave a Reply

Your email address will not be published. Required fields are marked *