Welcome to Centmin Mod Community
Register Now

Add some basic rules at /etc/sysctl.conf

Discussion in 'Feature Requests & Suggestions' started by pamamolf, Aug 17, 2016.

  1. pamamolf

    pamamolf Well-Known Member

    2,725
    243
    63
    May 31, 2014
    Ratings:
    +434
    Local Time:
    5:41 AM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hi :)

    I would like to see Centminmod installation to add some basic rules at /etc/sysctl.conf like:

    Code:
    # Avoid a smurf attack
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    
    # Turn on protection for bad icmp error messages
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    
    # Turn on syncookies for SYN flood attack protection
    net.ipv4.tcp_syncookies = 1
    
    # Turn on and log spoofed, source routed, and redirect packets
    net.ipv4.conf.all.log_martians = 1
    net.ipv4.conf.default.log_martians = 1
    
    # No source routed packets here
    net.ipv4.conf.all.accept_source_route = 0
    net.ipv4.conf.default.accept_source_route = 0
    
    # Turn on reverse path filtering
    net.ipv4.conf.all.rp_filter = 1
    net.ipv4.conf.default.rp_filter = 1
    
    # Make sure no one can alter the routing tables
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    net.ipv4.conf.all.secure_redirects = 0
    net.ipv4.conf.default.secure_redirects = 0
    
    # Don't act as a router
    net.ipv4.ip_forward = 0
    net.ipv4.conf.all.send_redirects = 0
    net.ipv4.conf.default.send_redirects = 0
    
    # Optimization for port usefor LBs
    # Increase system file descriptor limit
    fs.file-max = 65535
    
    # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
    kernel.pid_max = 65536
    
    # Increase TCP max buffer size setable using setsockopt()
    net.ipv4.tcp_rmem = 4096 87380 8388608
    net.ipv4.tcp_wmem = 4096 87380 8388608
    
    # Increase Linux auto tuning TCP buffer limits
    # min, default, and max number of bytes to use
    # set max to at least 4MB, or higher if you use very high BDP paths
    # Tcp Windows etc
    net.core.rmem_max = 8388608
    net.core.wmem_max = 8388608
    net.core.netdev_max_backlog = 5000
    net.ipv4.tcp_window_scaling = 1
    Many of them look very basic and may help in some cases i think....

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,178
    6,786
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,139
    Local Time:
    12:41 PM
    Nginx 1.13.x
    MariaDB 5.5
    Centmin Mod already does most of them by default if you're on KVM, Xen or non-OpenVZ servers :) OpenVZ doesn't allow TCP level tuning so Centmin Mod skips it if OpenVZ server is detected

    Centmin Mod 123.09beta01 improves on that though see inc/tcp.inc centminmod/tcp.inc at 123.09beta01 · centminmod/centminmod · GitHub which for CentOS 7 has settings in /etc/sysctl.d/101-sysctl.conf instead of /etc/sysctl.conf
     
    • Informative Informative x 1