edit /etc/sysctl.d/60-zercle.conf
and run
sysctl --system
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Kernel sysctl configuration file for Linux | |
| # https://www.kernel.org/doc/Documentation/sysctl/ | |
| # | |
| # Original by Michiel Klaver <https://klaver.it/linux/sysctl.conf> | |
| # Modify by Kawin Viriyaprasopsook <[email protected]> | |
| # | |
| # The following is suitable for dedicated web server, mail, file server, KVM server etc. | |
| # place file in /etc/sysctl.d/60-sysctl.conf | |
| # and run `sysctl –system` | |
| # ——————————————————————– | |
| # System options | |
| # ——————————————————————– | |
| # Controls IP packet forwarding (Default 0 but docker,vpn,router server must set to 1) | |
| net.ipv4.ip_forward = 0 | |
| net.ipv6.conf.all.forwarding = 0 | |
| # Addresses of mmap base, heap, stack and VDSO page are randomized | |
| kernel.randomize_va_space = 2 | |
| # Controls the System Request debugging functionality of the kernel | |
| kernel.sysrq = 0 | |
| # Controls whether core dumps will append the PID to the core filename. | |
| # Useful for debugging multi-threaded applications. | |
| kernel.core_uses_pid = 1 | |
| # Allow for more PIDs | |
| kernel.pid_max = 65535 | |
| # Changing Semaphore Limits | |
| kernel.msgmni = 1024 | |
| kernel.sem = 250 256000 32 1024 | |
| # Controls the default maxmimum size of a mesage queue | |
| kernel.msgmnb = 65535 | |
| # Controls the maximum size of a message, in bytes | |
| kernel.msgmax = 65535 | |
| # Controls the maximum number of shared memory segments, in pages | |
| kernel.shmall = 268435456 | |
| # Controls the maximum shared segment size, in bytes | |
| kernel.shmmax = 268435456 | |
| # Keep at least 64MB of free RAM space available | |
| vm.min_free_kbytes = 65535 | |
| # Controls source route verification | |
| net.ipv4.conf.all.rp_filter = 2 | |
| net.ipv4.conf.default.rp_filter = 2 | |
| # Do not accept source routing | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| net.ipv6.conf.default.accept_source_route = 0 | |
| # Disable ICMP Redirect Acceptance | |
| net.ipv4.conf.all.accept_redirects = 0 | |
| net.ipv4.conf.default.accept_redirects = 0 | |
| net.ipv4.conf.all.secure_redirects = 0 | |
| net.ipv4.conf.default.secure_redirects = 0 | |
| net.ipv6.conf.all.accept_redirects = 0 | |
| net.ipv6.conf.default.accept_redirects = 0 | |
| # Disable netfilter on bridges. | |
| net.bridge.bridge-nf-call-ip6tables = 0 | |
| net.bridge.bridge-nf-call-iptables = 0 | |
| net.bridge.bridge-nf-call-arptables = 0 | |
| # Discourage Linux from swapping idle server processes to disk (default = 60) | |
| vm.swappiness = 10 | |
| vm.dirty_ratio = 60 | |
| vm.dirty_background_ratio = 2 | |
| # RFC 1337 fix | |
| net.ipv4.tcp_rfc1337 = 1 | |
| # Tweak how the flow of kernel messages is throttled. | |
| #kernel.printk_ratelimit_burst = 10 | |
| #kernel.printk_ratelimit = 5 | |
| # ——————————————————————– | |
| # The following allow the server to handle lots of connection requests | |
| # ——————————————————————– | |
| # See also http://www.nateware.com/linux-network-tuning-for-2013.html for | |
| # an explanation about some of these parameters, and instructions for | |
| # a few other tweaks outside this file. | |
| # Protection from SYN flood attack. | |
| net.ipv4.tcp_syncookies = 1 | |
| net.ipv4.tcp_syn_retries = 2 | |
| net.ipv4.tcp_synack_retries = 2 | |
| # Increase number of incoming connections that can queue up | |
| # before dropping | |
| net.core.somaxconn = 32768 | |
| # Handle SYN floods and large numbers of valid HTTPS connections | |
| # https://shehab.tech/ | |
| net.ipv4.tcp_max_syn_backlog = 4096 | |
| # Increase the length of the network device input queue | |
| net.core.netdev_max_backlog = 16384 | |
| # Increase system file descriptor limit so we will (probably) | |
| # never run out under lots of concurrent requests. | |
| # (Per-process limit is set in /etc/security/limits.conf) | |
| fs.file-max = 209708 | |
| # Widen the port range used for outgoing connections | |
| net.ipv4.ip_local_port_range = 1024 65535 | |
| # Increasing the amount of inotify watchers | |
| fs.inotify.max_user_watches = 524288 | |
| # ——————————————————————– | |
| # The following help the server efficiently pipe large amounts of data | |
| # ——————————————————————– | |
| # Disable source routing and redirects | |
| net.ipv4.conf.all.send_redirects = 0 | |
| net.ipv4.conf.default.send_redirects = 0 | |
| net.ipv4.conf.all.accept_source_route = 0 | |
| net.ipv4.conf.default.accept_source_route = 0 | |
| net.ipv6.conf.all.accept_source_route = 0 | |
| net.ipv6.conf.default.accept_source_route = 0 | |
| # Avoid falling back to slow start after a connection goes idle | |
| # keeps our cwnd large with the keep alive connections (kernel > 3.6) | |
| net.ipv4.tcp_slow_start_after_idle = 0 | |
| # Controls TCP Packetization-Layer Path MTU Discovery | |
| net.ipv4.tcp_mtu_probing = 1 | |
| # Turn on the tcp_window_scaling | |
| net.ipv4.tcp_window_scaling = 1 | |
| # Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better | |
| net.ipv4.tcp_timestamps = 1 | |
| # Enable the TCP selective acks option for better throughput | |
| net.ipv4.tcp_sack = 1 | |
| # Change Congestion Control | |
| # Use BBR TCP congestion control and set tcp_notsent_lowat to 16384 to ensure HTTP/2 prioritization works optimally | |
| # Do a 'modprobe tcp_bbr' first (kernel > 4.9) | |
| # Fall-back to htcp if bbr is unavailable (older kernels) | |
| net.ipv4.tcp_congestion_control = htcp | |
| net.ipv4.tcp_congestion_control = bbr | |
| # bbr + fq for edge compute | |
| net.core.default_qdisc = fq | |
| # if kernel >= 4.13 | |
| # bbr + fq_codel better for general purose | |
| #net.core.default_qdisc = fq_codel | |
| # bbr + cake better for WAN/Internet gateway | |
| #net.core.default_qdisc = cake | |
| net.ipv4.tcp_notsent_lowat = 16384 | |
| # Increase the maximum amount of option memory buffers | |
| net.core.optmem_max = 65535 | |
| # Increase Linux autotuning TCP buffer limits | |
| # Set max to 16MB (16777216) for 1GE | |
| # 32M (33554432) or 64M (67108864) for 10GE | |
| # 128M (134217728) or 256M (268435456) for 40GE | |
| # Don't set tcp_mem itself! Let the kernel scale it based on RAM. | |
| # Increase the read-buffer space allocatable | |
| net.ipv4.tcp_rmem = 8192 87380 33554432 | |
| net.ipv4.udp_rmem_min = 16384 | |
| net.core.rmem_default = 262144 | |
| net.core.rmem_max = 67108864 | |
| # Increase the write-buffer-space allocatable | |
| net.ipv4.tcp_wmem = 8192 65536 33554432 | |
| net.ipv4.udp_wmem_min = 16384 | |
| net.core.wmem_default = 262144 | |
| net.core.wmem_max = 67108864 | |
| # If your servers talk UDP, also up these limits | |
| net.ipv4.udp_rmem_min = 16384 | |
| net.ipv4.udp_wmem_min = 16384 | |
| # ——————————————————————– | |
| # The following allow the server to handle lots of connection churn | |
| # ——————————————————————– | |
| # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks | |
| net.ipv4.tcp_max_tw_buckets = 1440000 | |
| # Timeout broken connections faster (amount of time to wait for FIN) | |
| net.ipv4.tcp_fin_timeout = 7 | |
| # Try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT) | |
| net.ipv4.tcp_tw_recycle = 0 | |
| net.ipv4.tcp_tw_reuse = 1 | |
| # Decrease the time default value for connections to keep alive | |
| # Disconnect dead TCP connections after 600+(60*10) seconds | |
| net.ipv4.tcp_keepalive_time = 600 | |
| net.ipv4.tcp_keepalive_probes = 60 | |
| net.ipv4.tcp_keepalive_intvl = 10 | |
| # This will enusre that immediatly subsequent connections use the new values | |
| net.ipv4.route.flush = 1 | |
| net.ipv6.route.flush = 1 |
/etc/iptables.up.rules
# Generated by iptables-save v1.6.0 on Thu Mar 30 00:19:26 2017 *raw :PREROUTING ACCEPT [1324:102679] :OUTPUT ACCEPT [110:12756] # Don't track SYN packets -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack COMMIT # Completed on Thu Mar 30 00:19:26 2017 *mangle :PREROUTING ACCEPT [1324:102679] :INPUT ACCEPT [1248:94938] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [110:12756] :POSTROUTING ACCEPT [110:12756] # Allow loopback -A PREROUTING -i lo -j ACCEPT # Drop TCP packets that are new and are not SYN -A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP # Drop SYN packets with suspicious MSS value -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP # Block packets with bogus TCP flags -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP # Block spoofed packets -A PREROUTING -s 224.0.0.0/3 -j DROP -A PREROUTING -s 169.254.0.0/16 -j DROP -A PREROUTING -s 172.16.0.0/12 -j DROP -A PREROUTING -s 192.0.2.0/24 -j DROP -A PREROUTING -s 192.168.0.0/16 -j DROP -A PREROUTING -s 10.0.0.0/8 -j DROP -A PREROUTING -s 0.0.0.0/8 -j DROP -A PREROUTING -s 240.0.0.0/5 -j DROP -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP # Drop fragments in all chains -A PREROUTING -f -j DROP COMMIT # Completed on Thu Mar 30 00:19:26 2017 # Generated by iptables-save v1.6.0 on Tue Mar 28 11:50:15 2017 *nat :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0] -A POSTROUTING -j MASQUERADE COMMIT # Completed on Thu Mar 30 00:19:26 2017 # Generated by iptables-save v1.6.0 on Tue Mar 28 11:50:15 2017 *filter :INPUT ACCEPT [1246:94823] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [110:12756] :port-scanning - [0:0] # Allow loopback -A INPUT -i lo -j ACCEPT # Allow current connection -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #Limiting the incoming icmp ping request: -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT -A INPUT -p icmp -j DROP # Simple DDOS Migation by SYNPROXY -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 -m multiport --dports 22,80,443 -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 -m multiport --dports 8080,8443 -A INPUT -m conntrack --ctstate INVALID -j DROP # SSH brute-force protection -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSHBF --rsource -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name SSHBF --rsource -j DROP # Protection against port scanning -A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN -A port-scanning -j DROP # Allow Apps -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,80,443 -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 8080,8443 # Default DROP -A INPUT -j DROP COMMIT # Completed on Thu Mar 30 00:19:26 2017
/etc/ip6tables.up.rules
# Generated by iptables-save v1.6.0 on Thu Mar 30 00:19:26 2017 *raw :PREROUTING ACCEPT [1324:102679] :OUTPUT ACCEPT [110:12756] # Don't track SYN packets -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack COMMIT # Completed on Thu Mar 30 00:19:26 2017 # Generated by iptables-save v1.6.0 on Tue Mar 28 11:50:15 2017 *filter :INPUT ACCEPT [1246:94823] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [110:12756] :port-scanning - [0:0] # Allow loopback -A INPUT -i lo -j ACCEPT # Allow current connection -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #Limiting the incoming icmp ping request: -A INPUT -p ipv6-icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT -A INPUT -p ipv6-icmp -j DROP # Simple DDOS Migation by SYNPROXY -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 -m multiport --dports 22,80,443 -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 -m multiport --dports 8080,8443 -A INPUT -m conntrack --ctstate INVALID -j DROP # SSH brute-force protection -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name SSHBF --rsource -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name SSHBF --rsource -j DROP # Protection against port scanning -A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN -A port-scanning -j DROP # Allow Apps -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 22,80,443 -A INPUT -p tcp -m tcp -m multiport -j ACCEPT --dports 8080,8443 # Default DROP -A INPUT -j DROP COMMIT # Completed on Thu Mar 30 00:19:26 2017 # Generated by iptables-save v1.6.0 on Tue Mar 28 11:50:15 2017 *mangle :PREROUTING ACCEPT [1324:102679] :INPUT ACCEPT [1248:94938] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [110:12756] :POSTROUTING ACCEPT [110:12756] COMMIT # Completed on Thu Mar 30 00:19:26 2017 # Generated by iptables-save v1.6.0 on Tue Mar 28 11:50:15 2017 *nat :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0] -A POSTROUTING -j MASQUERADE COMMIT # Completed on Thu Mar 30 00:19:26 2017
Debian,Ubuntu load iptables
/etc/network/if-pre-up.d/iptablesload
chmod +x /etc/network/if-pre-up.d/iptablesload
#!/usr/bin/env bash sysctl --system > /dev/null 2>&1 iptables-restore < /etc/iptables.up.rules ip6tables-restore < /etc/ip6tables.up.rules exit 0
RHEL,Centos load iptables
#!/usr/bin/env bash sysctl --system > /dev/null 2>&1 systemctl mask firewalld yum -y install iptables-services systemctl enable iptables systemctl enable ip6tables iptables-restore < /etc/iptables.up.rules ip6tables-restore < /etc/ip6tables.up.rules ln -sf /etc/iptables.up.rules /etc/sysconfig/iptables ln -sf /etc/ip6tables.up.rules /etc/sysconfig/ip6tables exit 0