picatz
commented
6 years ago # Avoid a smurf attack
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# Turn on protection for bad icmp error messages
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# Turn on syncookies for SYN flood attack protection
sysctl -w net.ipv4.tcp_syncookies=1
# Turn on and log spoofed, source routed, and redirect packets
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
# No source routed packets here
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
# Turn on reverse path filtering
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
# Make sure no one can alter the routing tables
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
# Don't act as a router
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
# Turn on execshield for reducing worm or other automated remote attacks
sysctl -w kernel.exec-shield=1
sysctl -w kernel.randomize_va_space=1
# Disable IPV6
sysctl -w net.ipv6.conf.default.disable_ipv6=1
sysctl -w net.ipv6.conf.all.disable_ipv6=1
# Increase system file descriptor limit
sysctl -w fs.file-max=65535
# Allow for more PIDs (Prevention of fork() failure error message)
sysctl -w kernel.pid_max=65536
# Tuning Linux network stack to increase TCP buffer size.
# Set the max OS send buffer size (wmem) and receive buffer size (rmem) to 12 MB for queues on all protocols.
sysctl -w net.core.rmem_max=8388608
sysctl -w net.core.wmem_max=8388608
# Value to set for queue on the INPUT side when incoming packets are faster then the kernel process on them.
sysctl -w net.core.netdev_max_backlog=5000
# For increasing transfer window, enable window scaling
sysctl -w net.ipv4.tcp_window_scaling=1
# Disconnect dead TCP connections after 1 minute
sysctl -w net.ipv4.tcp_keepalive_time=60
# Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
# any remaining packets in the network.
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_time_wait=10
# How long to keep ESTABLISHED connections in conntrack table
# Should be higher than tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl )
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=300
sysctl -w net.netfilter.nf_conntrack_generic_timeout=300
# Allow a high number of timewait sockets
sysctl -w net.ipv4.tcp_max_tw_buckets=2000000
# Timeout broken connections faster (amount of time to wait for FIN)
sysctl -w net.ipv4.tcp_fin_timeout=10
# Let the networking stack reuse TIME_WAIT connections when it thinks it's safe to do so
sysctl -w net.ipv4.tcp_tw_reuse=1
# Determines the wait time between isAlive interval probes (reduce from 75 sec to 15)
sysctl -w net.ipv4.tcp_keepalive_intvl=15
# Determines the number of probes before timing out (reduce from 9 sec to 5 sec)
sysctl -w net.ipv4.tcp_keepalive_probes=5
I left a bunch of garbage in there.