# Examples: # http://www.thern.org/projects/sysctl.conf # http://serverfault.com/questions/415844/linux-webhost-security-settings-in-etc-sysctl-conf # Backlog of incoming connections; high values ensure HTTP stability under load kern.ipc.somaxconn=4096 net.core.somaxconn=4096 net.core.netdev_max_backlog=4096 net.ipv4.tcp_max_syn_backlog=4096 # # net.inet.tcp.msl defines the Maximum Segment Life - # # FROM: http://silverwraith.com/papers/freebsd-ddos.php # This is the maximum amount of time to wait for an ACK in reply # to a SYN-ACK or FIN-ACK, in milliseconds. If an ACK is not received # in this time, the segment can be considered "lost" and the network # connection is freed. net.inet.tcp.msl=7500 # Decrease TCP keepalive time # Default: 7200 net.ipv4.tcp_keepalive_time=1800 # max size of shared memory segment # possibly kernel.shmmax kern.ipc.shmmax=536870912 kern.ipc.shmall=32768 # Avoid a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages net.ipv4.icmp_ignore_bogus_error_responses = 1 # Turn on syncookies for SYN flood attack protection net.ipv4.tcp_syncookies = 1 # Turn on and log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # No source routed packets here net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Make sure no one can alter the routing tables net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # Don't act as a router net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Don't Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 0 # This will increase the amount of memory available for socket input/output queues net.ipv4.tcp_rmem = 4096 25165824 25165824 net.core.rmem_max = 25165824 net.core.rmem_default = 25165824 net.ipv4.tcp_wmem = 4096 65536 25165824 net.core.wmem_max = 25165824 net.core.wmem_default = 65536 net.core.optmem_max = 25165824 # Limit of open files fs.file-max = 131072