UnixServerAdmin

Server Administration & Management

sysctl-tunner-update.sh

##############################################################################
# sysctl is an interface that allows you to make changes to a running Linux kernel.    ####################### ####################
# With /etc/sysctl.conf you can configure various Linux networking and system settings such as: ########################################
###############################################################################
## 1. Limit network-transmitted configuration for IPv4 ################################################################
## 2. Limit network-transmitted configuration for IPv6 ################################################################
## 3. Turn on execshield protection ###########################################################################
## 4. Prevent against the common ‘syn flood attack’ ##################################################################
## 5. Turn on source IP address verification ######################################################################
## 6. Prevents a cracker from using a spoofing attack against the IP address of the server. ############################################
## 7. Logs several types of suspicious packets, such as spoofed packets, source-routed packets & redirects. ###################################
##############################################################################
# The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. ##
#!/bin/bash

function sysctlw {
if [ `grep -c $1 /etc/sysctl.conf` -eq 0 ]; then
echo “$1=$2“ >> /etc/sysctl.conf
echo “Added sysctl preference ‘$1‘=’$2‘”
fi
}

echo “Tuning network stack..”

# Controls IP packet forwarding
sysctlw    “net.ipv4.ip_forward”                “0“
sysctlw    “net.ipv4.conf.default.rp_filter”        “1“

# Controls the System Request debugging functionality of the kernel
sysctlw    “kernel.sysrq”                    “0“
sysctlw    “kernel.core_uses_pid”                “0“
sysctlw    “net.ipv4.ipfrag_time”                “30“
sysctlw    “net.core.rmem_default”                “262141“
sysctlw    “net.core.rmem_max”                “12582912“
sysctlw    “net.ipv4.tcp_rmem”                “10240 87380 12582912“
sysctlw    “net.core.wmem_default”                “262141“
sysctlw    “net.core.wmem_max”                “12582912“
sysctlw    “net.ipv4.tcp_wmem”                “10240 87380 12582912“
sysctlw    “net.ipv4.tcp_mem”                “195584 196096 196608“
sysctlw    “net.core.optmem_max”                “20480“
sysctlw    “net.ipv4.tcp_max_tw_buckets”            “360000“
sysctlw    “net.core.hot_list_length”            “256“

#Set maximum number of packets, queued on the INPUT side, when the interface receives packets faster than kernel can process them
sysctlw    “net.core.netdev_max_backlog”            “262144“
sysctlw    “net.core.somaxconn”                “262144“
sysctlw    “net.ipv4.tcp_reordering”            “3“

# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
sysctlw    “net.ipv4.icmp_echo_ignore_broadcasts”        “1“
sysctlw    “net.ipv4.icmp_ignore_bogus_error_responses”    “1“

# Controls the use of TCP syncookies
sysctlw    “net.ipv4.tcp_synack_retries”            “2“
sysctlw    “net.ipv4.tcp_syn_retries”            “3“

# Prevent against the common ‘syn flood attack’
sysctlw    “net.ipv4.tcp_syncookies”            “1“

#Enable timestamps as defined in RFC1323
sysctlw    “net.ipv4.tcp_timestamps”            “1“

#Enable select acknowledgments
sysctlw    “net.ipv4.tcp_sack”                “1“

#By default, TCP saves various connection metrics in the route cache when the connection closes,
#so that connections established in the near future can use these to set initial conditions. Usually,
#this increases overall performance, but may sometimes cause performance degradation.
#If set, TCP will not cache metrics on closing connections
sysctlw       “net.ipv4.tcp_no_metrics_save“     “1“

#Turn on window scaling which can be an option to enlarge the transfer window
sysctlw    “net.ipv4.tcp_window_scaling”            “1“
sysctlw    “net.ipv4.tcp_keepalive_time”            “1200“
sysctlw    “net.ipv4.tcp_fin_timeout”            “15“
sysctlw    “net.ipv4.tcp_tw_recycle”            “1“
sysctlw    “net.ipv4.conf.default.log_martians”        “1“

# Log packets with impossible addresses to kernel log? yes
sysctlw    “net.ipv4.conf.all.log_martians”        “1“
sysctlw    “net.ipv4.conf.default.accept_redirects”    “0“

# Accept Redirects? No, this is not router
sysctlw    “net.ipv4.conf.all.accept_redirects”        “0“
sysctlw    “net.ipv4.conf.all.secure_redirects“            “0“
sysctlw    “net.ipv4.conf.default.accept_source_route”    “0“

# Accept packets with SRR option? No
sysctlw    “net.ipv4.conf.all.accept_source_route”        “0“

# Enable source validation by reversed path, as specified in RFC1812
sysctlw    “net.ipv4.conf.all.rp_filter”            “1“

# Controls source route verification
sysctlw    “net.ipv4.conf.default.rp_filter”        “1“

# Do not accept source routing
sysctlw    “net.ipv4.conf.default.accept_source_route”    “0“

# Send redirects, if router, but this is just server
sysctlw    “net.ipv4.conf.default.send_redirects”        “0“
sysctlw    “net.ipv4.conf.default.mc_forwarding”        “0“
sysctlw    “net.ipv4.conf.default.forwarding”            “0“
sysctlw    “net.ipv4.conf.all.bootp_relay”                “0“
sysctlw    “net.ipv4.conf.all.proxy_arp”                “0“

#arp
sysctlw    “net.ipv4.neigh.default.gc_thresh3?        “2048“
sysctlw    “net.ipv4.neigh.default.gc_thresh2?        “1024“
sysctlw    “net.ipv4.neigh.default.gc_thresh1?        “32“
sysctlw    “net.ipv4.neigh.default.gc_interval”        “30“
sysctlw    “net.ipv4.neigh.default.proxy_qlen”        “96“
sysctlw    “net.ipv4.neigh.default.unres_qlen”        “6“

#tcp options
sysctlw    “net.ipv4.tcp_dsack”                    “0“
sysctlw    “net.ipv4.tcp_fack”                    “0“
sysctlw    “net.ipv4.tcp_ecn”                    “0“
sysctlw    “net.ipv4.tcp_max_syn_backlog”        “2048“
sysctlw    “net.ipv4.tcp_retries2?                “15“
sysctlw    “net.ipv4.tcp_retries1?                “3“
sysctlw    “net.ipv4.tcp_rfc1337?                “1“
sysctlw    “net.ipv4.netfilter.ip_conntrack_max”    “1048576“
sysctlw    “net.nf_conntrack_max”                “1048576“
sysctlw    “sunrpc.tcp_slot_table_entries”        “32“
sysctlw    “sunrpc.udp_slot_table_entries”        “32“
sysctlw    “net.unix.max_dgram_qlen”            “50“
sysctlw    “net.core.netdev_max_backlog”        “5000“
sysctlw    “net.core.dev_weight”                “64“

#Enable ExecShield protection
sysctlw       “kernel.exec-shield“      “1“
sysctlw       “kernel.randomize_va_space“        “1“

echo “Optimizing filesystem…”

sysctlw    “fs.file-max”                “209708“
sysctlw    “kernel.ctrl-alt-del”            “0“

echo “Optimizing kernel…”

sysctlw    “kernel.printk”                “4 4 1 7“
sysctlw    “kernel.maps_protect”            “1“
sysctlw    “vm.mmap_min_addr”            “65536“
sysctlw    “vm.page-cluster”            “6“
sysctlw    “kernel.shmmax”                “67108864“

echo “Setting up host.conf…”

cp /etc/host.conf /etc/host.conf.bak

cat <<HOSTCONF >/etc/host.conf
order bind,hosts
multi on
nospoof on
HOSTCONF

/sbin/sysctl -p &>/dev/null &
/sbin/sysctl -w net.ipv4.route.flush=1

echo “Disabling unneeded services…”

for i in acpid anacron auditd autofs avahi-daemon bluetooth cpuspeed \
gpm ip6tables irqbalance mcstrans netfs nfslock pcscd \
portmap rpcgssd rpcidmapd setroubleshoot xfs; do
service $i stop &>/dev/null
chkconfig –level 3 $i off &>/dev/null
done

Advertisements

August 10, 2012 - Posted by | Security, Shell Script | ,

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: