# Sysctl kernel variables to improve network performance and protect against common Denial of Service attacks # It's possible that not all of the variables are working on all Linux distributions, test to make sure # Some of the variables might need a slight modification to match server hardware, however in most cases it should be fine # variables list compiled by hip0 ### http://www.pc-freak.net #### date 08.07.2011 ############ IPv4 Sysctl Settings ################ net.ipv4.ip_forward = 0 # ( Turn off IP Forwarding ) net.ipv4.conf.default.rp_filter = 1 # ( Control Source route verification ) net.ipv4.conf.default.accept_redirects = 0 # ( Disable ICMP redirects ) net.ipv4.conf.all.accept_redirects = 0 # ( same as above ) net.ipv4.conf.default.accept_source_route = 0 # ( Disable IP source routing ) net.ipv4.conf.all.accept_source_route = 0 # ( - || - )net.ipv4.tcp_fin_timeout = 40 # ( Decrease FIN timeout ) - Useful on busy/high load server net.ipv4.tcp_keepalive_time = 4000 # ( keepalive tcp timeout ) net.core.rmem_default = 786426 # Receive memory stack size ( a good idea to increase it if your server receives big files ) ##net.ipv4.tcp_rmem = "4096 87380 4194304" net.core.wmem_default = 8388608 #( Reserved Memory per connection ) net.core.wmem_max = 8388608 net.core.optmem_max = 40960 # ( maximum amount of option memory buffers ) # tcp reordering, increase max buckets, increase the amount of backlost net.ipv4.tcp_max_tw_buckets = 360000 net.ipv4.tcp_reordering = 5 ##net.core.hot_list_length = 256 net.core.netdev_max_backlog = 1024 #Enable ExecShield protection (randomize virtual assigned space to protect against many exploits) kernel.randomize_va_space = 1 #Increase the number of PIDs processes could assign this is very needed especially on more powerful servers kernel.pid_max = 65536 # Prevent against the common 'syn flood attack' net.ipv4.tcp_syncookies = 1 # Controls the use of TCP syncookies two is generally a better idea, though you might experiment #net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 2 ################################################## ############## IPv6 Sysctl Settings ################ # Number of Router Solicitations to send until assuming no routers are present. net.ipv6.conf.default.router_solicitations = 0 # Accept Router Preference in RA? Again not necessery if the server is not a router net.ipv6.conf.default.accept_ra_rtr_pref = 0 # Learn Prefix Information in Router Advertisement (Unnecessery) for non-routers net.ipv6.conf.default.accept_ra_pinfo = 0 # disable accept of hop limit settings from other routers (could be used for DoS) net.ipv6.conf.default.accept_ra_defrtr = 0 # disable ipv6 global unicasts server assignments net.ipv6.conf.default.autoconf = 0 # neighbor solicitations to send out per address (better if disabled) net.ipv6.conf.default.dad_transmits = 0 # disable assigning more than 1 address per network interface net.ipv6.conf.default.max_addresses = 1 ##################################################### # Reboot if kernel panic kernel.panic = 20