-
Notifications
You must be signed in to change notification settings - Fork 25
/
Copy pathsysctl.conf
67 lines (63 loc) · 5.86 KB
/
sysctl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#
# Custom sysctl.conf by https://github.com/yuk1c/antiddos
#
# Reverse-Path filtering, aka spoof protection.
# 0 = Disabled, 1 = Strict, 2 = Loose
# You need to comment these parameters if you're using an asymmetric routing.
# ================================================================
net.ipv4.conf.default.rp_filter = 1 # For all new interfaces
net.ipv4.conf.all.rp_filter = 1 # For all current interfaces
# The BBR congestion control algorithm is a really good one.
# ================================================================
net.ipv4.tcp_congestion_control=bbr
# The main tweaks.
# ================================================================
#net.ipv4.ip_forward = 1 # Uncomment this if you use the script on a router. Or use a VPN. Not enabled by default due to security reasons.
net.netfilter.nf_conntrack_tcp_loose = 0 # Turn on strict TCP mode for conntrack.
net.netfilter.nf_conntrack_checksum = 0 # Don't perform packet checksum verification by NF. Your server's NIC is probably already doing that.
kernel.unprivileged_userns_clone = 0 # Don't allow unprivileged user namespaces.
net.ipv4.tcp_thin_linear_timeouts = 1 # Enable dynamic triggering of thin linear timeouts (for lower TCP retransmission latencies)
net.ipv4.conf.all.ignore_routes_with_linkdown = 1 # Ignore [IPv4] routes via interfaces that are down. Good for additional reliability.
net.ipv4.conf.default.ignore_routes_with_linkdown = 1 # Just like the previous setting, but for all new interfaces.
net.ipv6.conf.all.ignore_routes_with_linkdown = 1 # Ignore [IPv6] routes via interfaces that are down. Good for additional reliability.
net.ipv6.conf.default.ignore_routes_with_linkdown = 1 # Just like the previous setting, but for all new interfaces.
net.ipv4.ip_local_port_range = 1024 65535 # Increase the range of source ports for less possible port conflicts.
net.ipv4.igmp_link_local_mcast_reports = 0 # Don't send IGMP Link-Local multicast reports.
net.ipv4.ip_autobind_reuse = 1 # Improve performance for high network loads by reusing local ports.
net.core.bpf_jit_harden = 1 # BPF-JIT Hardening.
net.ipv4.conf.all.drop_unicast_in_l2_multicast = 1 # Drop IPv4 unicast packets encapsulated in link-layer multicast/broadcast frames.
net.ipv4.conf.default.drop_unicast_in_l2_multicast = 1 # Just like the previous setting, but for all new interfaces.
net.ipv6.conf.all.drop_unicast_in_l2_multicast = 1 # Drop IPv6 unicast packets encapsulated in link-layer multicast/broadcast frames.
net.ipv6.conf.default.drop_unicast_in_l2_multicast = 1 # Just like the previous setting, but for all new interfaces.
net.ipv4.conf.all.arp_filter = 1 # Prevent ARP Flux.
net.ipv4.conf.default.arp_filter = 1 # Just like the previous setting, but for all new interfaces.
net.ipv4.conf.all.arp_ignore = 1 # Reply to an ARP request only if the target IP address is local address configured on the incoming interface.
net.ipv4.conf.default.arp_ignore = 1 # Just like the previous setting, but for all new interfaces.
net.ipv4.tcp_shrink_window = 1 # Shrink TCP RWIN when it's necessary. Good for stability and performance.
net.ipv4.tcp_tw_reuse = 1 # Reuse TIME_WAIT sockets for new TCP connections. Good for performance.
net.ipv6.icmp.echo_ignore_multicast = 1 # Ignore ICMPv6 multicast echos.
net.ipv6.conf.all.drop_unsolicited_na = 1 # Your server received a NA packet but hasn't asked for it with a NS packet? Drop it.
net.ipv6.conf.default.drop_unsolicited_na = 1 # Just like the previous setting, but for all new interfaces.
net.ipv4.tcp_slow_start_after_idle = 0 # Turn off TCP SlowStart to ramp up speeds more quickly.
net.ipv4.tcp_orphan_retries = 0 # Do not do any TCP orphan retries, nice for mitigating heavy attacks.
vm.hugetlb_optimize_vmemmap = 1 # Attempt to optimize HugeTLB vmemmap pages.
net.ipv4.tcp_synack_retries = 1 # Do less TCP SYN-ACK retries. Just an additional security measure.
net.ipv4.tcp_rfc1337 = 1 # RFC 1337 Compliance for security and reliability.
net.ipv4.tcp_abort_on_overflow = 1 # Do not accept new connections if the listening service is too slow for them. For lower CPU load.
# Exclusive tweaks.
# ================================================================
kernel.io_delay_type = 0 # On newer systems, I/O delay serves no purpose and can be turned off.
vm.memfd_noexec = 1 # Don't allow execution of memory-backed files created with 'memfd_create()' (for security).
#vm.numa_stat = 0 # Turn off NUMA statistics.
#kernel.soft_watchdog = 0 # Turn off kernel soft-lockup detector. (for a very minor performance gain)
#kernel.watchdog = 0 # [BETA] Turn off another watchdog.
#kernel.timer_migration = 0 # Migrating timers == additional overhead. We can turn this off to eliminate it.
#kernel.panic = -1 # Reboot instantly if kernel panic happens.
#net.ipv4.tcp_fastopen = 3 # Always try to use TCP FastOpen.
#net.ipv4.nexthop_compat_mode = 0 # A minor performance tweak.
#net.ipv4.tcp_timestamps = 0 # TCP Timestamps can be turned off for additional security and lower TCP header size.
#net.core.default_qdisc = noqueue # We can turn off qdisc completely to minimize overhead. This can harm sometimes!
#vm.enable_soft_offline = 0 # Favor performance over reliability.
#net.ipv6.conf.all.disable_ipv6 = 1 # Disable IPv6 for all current interfaces. (if you're sure you don't need it)
#net.ipv6.conf.default.disable_ipv6 = 1 # Just like the previous setting, but for all new interfaces.
#net.ipv4.tcp_syncookies = 0 # [EXPERIMENTAL] Never use TCP SYN Cookies because we're already protected enough.