From 7855df459d92c655c0466a7c073d36a1d93051b9 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 23 Jul 2020 20:27:53 +0200 Subject: [PATCH] Initial commit --- 10-memory.conf | 4 ++++ 20-network.conf | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 30-kernel.conf | 10 ++++++++++ 3 files changed, 60 insertions(+) create mode 100644 10-memory.conf create mode 100644 20-network.conf create mode 100644 30-kernel.conf diff --git a/10-memory.conf b/10-memory.conf new file mode 100644 index 0000000..101f615 --- /dev/null +++ b/10-memory.conf @@ -0,0 +1,4 @@ +vm.overcommit_memory = 2 + +vm.dirty_ratio = 30 +vm.dirty_background_ratio = 10 diff --git a/20-network.conf b/20-network.conf new file mode 100644 index 0000000..a490e10 --- /dev/null +++ b/20-network.conf @@ -0,0 +1,46 @@ +# IPV4 +net.ipv4.ip_forward = 0 +net.ipv4.conf.default.accept_source_route = 0 + +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_synack_retries = 5 + +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 + +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 + +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +net.ipv4.tcp_rfc1337 = 1 + +# TCP Tweaks +net.ipv4.tcp_fastopen = 3 +net.ipv4.tcp_tw_reuse = 1 +net.ipv4.tcp_mtu_probing = 1 + +# IPV6 +net.ipv6.conf.default.router_solicitations = 0 + +net.ipv6.conf.default.accept_ra_rtr_pref = 0 +net.ipv6.conf.default.accept_ra_pinfo = 0 +net.ipv6.conf.default.accept_ra_defrtr = 0 + +net.ipv6.conf.default.autoconf = 0 + +net.ipv6.conf.default.dad_transmits = 0 + +net.ipv6.conf.default.max_addresses = 1 + +# Misc +net.core.netdev_max_backlog = 16384 +net.core.somaxconn = 8192 diff --git a/30-kernel.conf b/30-kernel.conf new file mode 100644 index 0000000..ba166ee --- /dev/null +++ b/30-kernel.conf @@ -0,0 +1,10 @@ +kernel.sysrq = 0 + +# Memory execution prevention +kernel.exec-shield = 2 +kernel.randomize_va_space=2 + +kernel.dmesg_restrict = 1 +kernel.kptr_restrict = 2 + +kernel.kexec_load_disabled = 1