Ultimate sysctl.conf tweaks and security hardening for Linux

In most Linux distros sysctl.conf is located in /etc/sysctl.conf and in Arch Linux and Manjaro Linux you need to create a new file in /etc/sysctl.d/99-sysctl.conf

To explore all Linux system settings the sysctl parameters open a terminal and enter sysctl -a and to filter out specific keywords then enter sysctl -a | grep “keyword

##################################################################
# Credits: infohack.eu - Updated: 24/10/2023 - Linux sysctl.conf #
##################################################################

# Netfilter tuning & hardening. Put nf_conntrack in /etc/modules-load.d/conntrack.conf to load parameters at boot.
net.netfilter.nf_conntrack_acct=0
net.netfilter.nf_conntrack_checksum=0
net.netfilter.nf_conntrack_events=1
net.netfilter.nf_conntrack_tcp_loose=0
net.netfilter.nf_conntrack_timestamp=0
net.netfilter.nf_conntrack_tcp_be_liberal=0
net.netfilter.nf_conntrack_max=16384
net.netfilter.nf_conntrack_buckets=65536
net.netfilter.nf_conntrack_tcp_max_retrans=3
net.netfilter.nf_conntrack_generic_timeout=120
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged=30
net.netfilter.nf_conntrack_tcp_timeout_time_wait=1
net.netfilter.nf_conntrack_tcp_timeout_close_wait=15
net.netfilter.nf_conntrack_tcp_timeout_close=5
net.netfilter.nf_conntrack_tcp_timeout_last_ack=15
net.netfilter.nf_conntrack_tcp_timeout_fin_wait=15
net.netfilter.nf_conntrack_tcp_timeout_syn_recv=15
net.netfilter.nf_conntrack_tcp_timeout_syn_sent=15
net.netfilter.nf_conntrack_tcp_timeout_established=7440
net.netfilter.nf_conntrack_sctp_timeout_established=7440
net.netfilter.nf_conntrack_icmp_timeout=1
net.netfilter.nf_conntrack_icmpv6_timeout=1
net.netfilter.nf_conntrack_udp_timeout=15
net.netfilter.nf_conntrack_udp_timeout_stream=30

# Enable TCP BBR Congestion Control to increase throughput & reduce latency.
# See what is supported by kernel with: cat /proc/sys/net/ipv4/tcp_available_congestion_control
net.ipv4.tcp_congestion_control=bbr
net.core.default_qdisc=fq

# Enable Explicit Congestion Notification (ECN) if both ends support it. Set ECN=0 if problems. ECN=1 on Clients for incoming & outgoing connections. ECN=2 on Router only for incoming connections.
net.ipv4.tcp_ecn=1

# Boost Kernel Task Scheduler Performance.
kernel.sched_energy_aware=1
# Profile 1: Low Battery Consumption for Mobile Devices
#kernel.sched_child_runs_first=0
#kernel.sched_tunable_scaling=0
#kernel.sched_latency_ns=15000000
#kernel.sched_min_granularity_ns=2000000
#kernel.sched_wakeup_granularity_ns=10000000
# Profile 2: Device Responsiveness
kernel.sched_child_runs_first=1
#kernel.sched_tunable_scaling=1
#kernel.sched_latency_ns=18000000
#kernel.sched_min_granularity_ns=1000000
#kernel.sched_wakeup_granularity_ns=2000000 

# Disable Magic SysRq Key.
kernel.sysrq=0

# Disable Kernel Panic.
kernel.panic=0
kernel.panic_on_oops=0

# Disable MultiPath TCP against security vulnerabilities.
net.mptcp.enabled=0

# Disable child sockets to inherit the L3 master device index.
net.ipv4.raw_l3mdev_accept=0 
net.ipv4.tcp_l3mdev_accept=0
net.ipv4.udp_l3mdev_accept=0

# Enable TCP Window Scaling for optimal performance.
net.ipv4.tcp_window_scaling=1

# Don't reduce window to half the size when TCP Window Scaling is enabled.
net.ipv4.tcp_workaround_signed_windows=0

# No processes traced with ptrace.
kernel.yama.ptrace_scope=3

# Prevent user from creating symlinks & hardlinks they don’t own.
fs.protected_hardlinks=1
fs.protected_symlinks=1
fs.protected_fifos=1
fs.protected_regular=1

# Disable dangerous ftrace debugging.
kernel.ftrace_enabled=0

# Disable nexthop for performance benefits.
net.ipv4.nexthop_compat_mode=0

# Disable unprivileged BPF to prevent side-channel attack.
kernel.unprivileged_bpf_disabled=1

# Prevent BPF_JIT spraying attacks.
#net.core.bpf_jit_enable=0
net.core.bpf_jit_harden=2
net.core.bpf_jit_kallsyms=0

# Enable Unprivileged User Namespaces for Exodus Wallet, Brave & Skype. (uncomment if use one of these apps)
#kernel.unprivileged_userns_clone=1 

# Prevent useful information for an attacker to exploit kernel vulnerabilities.
kernel.dmesg_restrict=1

# Prevent kernel exploits to resolve addresses/symbols dynamically.
kernel.kptr_restrict=1

# Disable NMI watchdog debugging to save power.
kernel.nmi_watchdog=0

# Increase size of file handles and inode cache.
fs.file-max=395955

# Do less swapping for performance.
# Uncomment vm.laptop_mode for mobile devices to save power & battery.
#vm.laptop_mode=5 
vm.swappiness=10
vm.dirty_ratio=10
vm.dirty_background_ratio=5
vm.dirty_writeback_centisecs=6000
vm.vfs_cache_pressure=10
vm.min_free_kbytes=65536

# Killing off processes that're using too much memory when running out.
vm.oom_kill_allocating_task=1

# Enable ExecShield protection & increase random poolsize. 
kernel.randomize_va_space=2
kernel.random.poolsize=4096

# Disable IGMP reports for link local multicast groups in 224.0.0.x range.
net.ipv4.igmp_link_local_mcast_reports=0

# Disable IPSEC encryption.
net.ipv4.conf.default.disable_xfrm=1
net.ipv4.conf.all.disable_xfrm=1
net.ipv4.conf.default.disable_policy=1
net.ipv4.conf.all.disable_policy=1
net.ipv6.conf.default.disable_policy=1
net.ipv6.conf.all.disable_policy=1

# Disable ARP Flux.
net.ipv4.conf.default.arp_ignore=1
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.all.arp_announce=2
net.ipv4.conf.default.arp_announce=2

# Disable ARP Proxy.
net.ipv4.conf.default.proxy_arp=0
net.ipv4.conf.default.proxy_arp_pvlan=0
net.ipv4.conf.all.proxy_arp=0
net.ipv4.conf.all.proxy_arp_pvlan=0

# Drop Gratuitous ARP frames to prevent ARP poisoning.
net.ipv4.conf.default.drop_gratuitous_arp=1
net.ipv4.conf.all.drop_gratuitous_arp=1

# Disable MTU Discovery against security vulnerabilities. 
# If enabled in mode 1 and a fragmentation-required ICMP is  
# received, the PMTU to this destination will be set to 
# min_pmtu. You will need to raise min_pmtu to the smallest 
# interface MTU on your system manually if you want to avoid  
# locally generated fragments.
# In mode 2 incoming Path MTU Discovery messages will be 
# discarded. Outgoing frames are handled the same as in mode 
# 1, implicitly setting IP_PMTUDISC_DONT on every created
# socket.
# Mode 3 is a hardend pmtu discover mode. The kernel will 
# only accept fragmentation-needed errors if the underlying 
# protocol can verify them besides a plain socket lookup. 
# Current protocols for which pmtu events will be honored are 
# TCP, SCTP and DCCP as they verify e.g. the sequence number 
# or the association. This mode should not be enabled 
# globally but is only intended to secure e.g. name servers 
# in namespaces where TCP path mtu must still work but path
# MTU information of other protocols should be discarded. 
# If enabled globally this mode could break other protocols.
net.ipv4.ip_no_pmtu_disc=2
net.ipv4.ip_forward_use_pmtu=0
net.ipv4.tcp_mtu_probing=0

# Disable syncookies because can be spoofed. (only enable temporary against heavy DOS attacks)
net.ipv4.tcp_syncookies=0
net.ipv4.tcp_max_syn_backlog=2048
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syn_retries=3

# Disable packet forwarding. (only enable for Router/Firewall/NAT)
net.ipv4.ip_forward=0 

# Disable IP source routing.
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0

# Enable IP Spoofing Protection for source route verification.
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Disable to accept ICMP Redirects.
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.all.send_redirects=0

# TCP default window size only for new connections or existing connections that have been idle.
net.ipv4.tcp_slow_start_after_idle=0

# Decrease time for TCP FIN Timeout.
net.ipv4.tcp_fin_timeout=15

# TCP Fast Open (TFO) [RFC7413]. Disable TCP Fast Open client side to enforce three way TCP handshake.
net.ipv4.tcp_fastopen=0

# Disable SACK against TCP networking vulnerabilities.
net.ipv4.tcp_fack=0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0

# Disable TCP Timestamps against timestamp security vulnerabilities. TCP Timestamps can remotely calculate the system uptime, boot time and host's clock with millisecond precision.
net.ipv4.tcp_timestamps=0

# Disable ICMP Echo Ping Replies.
net.ipv4.icmp_echo_ignore_all=1
net.ipv6.icmp.echo_ignore_all=1

# Limit max rate for sending ICMP packets.
net.ipv4.icmp_ratelimit=1
net.ipv6.icmp.ratelimit=1

# Limit ratemask for ICMP.
net.ipv4.icmp_ratemask=88089

# Disable ICMP broadcasts requests.
net.ipv4.icmp_echo_ignore_broadcasts=1

# Disable ICMP bogus error responses.
net.ipv4.icmp_ignore_bogus_error_responses=1

# Disable IPv4 & IPv6 anycast & multicast.
net.ipv4.conf.default.drop_unicast_in_l2_multicast=1
net.ipv4.conf.all.drop_unicast_in_l2_multicast=1
net.ipv6.icmp.echo_ignore_anycast=1
net.ipv6.icmp.echo_ignore_multicast=1
net.ipv6.conf.default.drop_unicast_in_l2_multicast=1
net.ipv6.conf.all.drop_unicast_in_l2_multicast=1

# Disable IPv6 for privacy and security risk.
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.all.disable_ipv6=1

# Enable IPv6 Privacy Extension.
net.ipv6.conf.default.use_tempaddr=2
net.ipv6.conf.all.use_tempaddr=2

# Disable IPv6 Unsolicited NA.
net.ipv6.conf.default.drop_unsolicited_na=1
net.ipv6.conf.all.drop_unsolicited_na=1

# Number of IPv6 Router Solicitations.
net.ipv6.conf.default.router_solicitations=0   
net.ipv6.conf.all.router_solicitations=0

# Disable IPv6 Router Preference in RA.
net.ipv6.conf.default.accept_ra_rtr_pref=0   
net.ipv6.conf.all.accept_ra_rtr_pref=0

# Disable IPv6 Learn Prefix Information in Router Advertisements. 
net.ipv6.conf.default.accept_ra_pinfo=0   
net.ipv6.conf.all.accept_ra_pinfo=0

# Disable IPv6 Router Advertisement.
net.ipv6.conf.default.accept_ra_defrtr=0   
net.ipv6.conf.all.accept_ra_defrtr=0

# Disable IPv6 automatic Router Advertisements to assign a global unicast address to an interface.
net.ipv6.conf.default.autoconf=0   
net.ipv6.conf.all.autoconf=0

# Disable IPv6 DAD & Neighbor Solicitations.
net.ipv6.conf.default.accept_dad=0
net.ipv6.conf.all.accept_dad=0
net.ipv6.conf.default.dad_transmits=0   
net.ipv6.conf.all.dad_transmits=0
net.ipv6.conf.default.enhanced_dad=0
net.ipv6.conf.all.enhanced_dad=0

# Max IPv6 unicast addresses assigned to each interface.
net.ipv6.conf.default.max_addresses=1
net.ipv6.conf.all.max_addresses=1 

# Allowed local port range.
net.ipv4.ip_local_port_range=10000 65535

# Protect Against TCP Time-Wait attack.
net.ipv4.tcp_rfc1337=1

# Mitigate TCP Attack.
net.ipv4.tcp_challenge_ack_limit=999999999

# Decrease time for connections to keep alive.
net.ipv4.tcp_keepalive_time=60
net.ipv4.tcp_keepalive_probes=10
net.ipv4.tcp_keepalive_intvl=6

# Increase TCP time wait buckets poolsize against DOS Attacks.
net.ipv4.tcp_max_tw_buckets=2000000
net.ipv4.tcp_tw_reuse=1

# Enable FRTO to optimize for wireless hosts. (uncomment for wifi)
#net.ipv4.tcp_frto=2
#net.ipv4.tcp_frto_response=2

# Enable Low Latency.
net.ipv4.tcp_low_latency=1

# Don't cache ssthresh from previous connection.
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_moderate_rcvbuf=1

# Increase incoming connections.
net.core.somaxconn=8192

# Increase incoming connections for backlog.
net.core.netdev_max_backlog=16384

# Increase maximum amount of option memory buffers.
net.core.optmem_max=65536

# Increase TCP & UDP buffer memory for better network performance.
net.core.rmem_default=1048576
net.core.rmem_max=16777216
net.core.wmem_default=1048576
net.core.wmem_max=16777216
net.ipv4.udp_rmem_min=8192
net.ipv4.udp_wmem_min=8192
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_rmem=4096 1048576 2097152
net.ipv4.tcp_mem=4096 65536 1048576
net.ipv4.udp_mem=4096 65536 1048576

Please Donate to support my work and website! Thank you!

Bitcoin Bitcoin (BTC): bc1qh57ull2dlr6nyplxnylg3nknzzhjxhy0s30w6z

Ethereum Ethereum (ETH): 0x8a71dec3d344ca8a2e55a5499b1643f37c1ee6ac

Polkadot Polkadot (DOT): 148kirRpkuwUnP47bRXZhQxR3P7jVrBvuq1kYTvLe5kg8dfn

Tether Tether (USDT): 0x8a71dec3d344ca8a2e55a5499b1643f37c1ee6ac

Litecoin Litecoin (LTC): LhpN9rMg83CnBwEZdtRNAG718b9fts8qpE

Dogecoin Dogecoin (DOGE): DEazATJowtTJmCiMMGa3hnMYFBcZUQmLt9

Cardano Cardano (ADA): addr1qx9dy20ur3k4k5vtgqd7ez2kjq2x88sdv3xju833xnxvrzy26g5lc8rdtdgcksqmajy4dyq5vw0q6ezd9c0rzdxvcxyq07ejmp

Leave a Reply

Your email address will not be published. Required fields are marked *

Infohack.eu