- Korean: 이 페이지는 아직 한글로 번역되지 않았습니다.
os-sysctl.plugin.bash¤
sysctl install configurations.
group:prenet | runtype:none | deps: - | port: -
Usage
os-sysctl help|install|uninstall|download|disable|configgen|configapply|check|run
$ os-sysctl install - install sysctl kernel parameter management
$ os-sysctl uninstall - uninstall sysctl configurations
$ os-sysctl download - download sysctl configuration files to pkg dir
$ os-sysctl disable - disable sysctl plugin
$ os-sysctl configgen - generate sysctl configuration files
$ os-sysctl configapply - apply sysctl configuration files
$ os-sysctl check - check sysctl plugin status
$ os-sysctl run - run sysctl parameter configuration
$ os-sysctl help - show this help messageSysctl manages kernel runtime parameters for system optimization and security hardening.
Jangbi Configs¤
/opt/jangbi/.config
RUN_OS_SYSCTL=1 # enable sysctl parameter management
Check if running¤
bash command
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
$ ls -la /etc/sysctl.d/
-rw-r--r-- 1 root root 99-jangbi.conf
Current Configuration¤
Current configuration is stored in /etc/sysctl.d/. it is generated by os-sysctl configgen command on install.
You can edit it manually and not run install or configapply commands to keep current configurations.
/etc/sysctl.d/99-disable-maxusernamespaces.conf
user.max_user_namespaces = 0
/etc/sysctl.d/99-disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
/etc/sysctl.d/99-disable-coredump.conf
fs.suid_dumpable=0
kernel.core_pattern=|/bin/false
/etc/sysctl.d/98-mikehoen-sysctl.conf
#################################################################################
#MIT License #
# #
#Copyright (c) 2023-2024 MikeHorn-git #
# #
#Permission is hereby granted, free of charge, to any person obtaining a copy #
#of this software and associated documentation files (the "Software"), to deal #
#in the Software without restriction, including without limitation the rights #
#to use, copy, modify, merge, publish, distribute, sublicense, and/or sell #
#copies of the Software, and to permit persons to whom the Software is #
#furnished to do so, subject to the following conditions: #
# #
#The above copyright notice and this permission notice shall be included in all #
#copies or substantial portions of the Software. #
# #
#THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR #
#IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #
#FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE #
#AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER #
#LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, #
#OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE #
#SOFTWARE. #
#################################################################################
# https://github.com/MikeHorn-git/Kernel-Hardening/blob/main/conf/sysctl.conf
### Kernel ###
dev.tty.ldisc_autoload=0
kernel.dmesg_restrict=1
kernel.kexec_load_disabled=1
kernel.kptr_restrict=2
kernel.panic_on_oops=1
kernel.perf_cpu_time_max_percent=1
kernel.perf_event_max_sample_rate=1
kernel.perf_event_paranoid=3
kernel.pid_max=65536
kernel.printk=3
kernel.randomize_va_space=2
kernel.sysrq=0
kernel.unprivileged_bpf_disabled=1
kernel.unprivileged_userns_clone=0
kernel.yama.ptrace_scope=2
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
vm.unprivileged_userfaultfd=0
### Network ###
net.core.bpf_jit_harden=2
net.ipv4.conf.all.accept_local=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.arp_filter=1
net.ipv4.conf.all.arp_ignore=2
net.ipv4.conf.all.drop_gratuitous_arp=1
net.ipv4.conf.all.forwarding=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.all.route_localnet=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.shared_media=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.default.shared_media=0
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.ip_forward=0
net.ipv4.ip_local_port_range=32768 65535
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0
net.ipv4.tcp_rfc1337=1
net.ipv4.tcp_sack=0
net.ipv4.tcp_syncookies=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
### File System ###
fs.protected_fifos=2
fs.protected_hardinks=1
fs.protected_regular=2
fs.protected_symlinks=1
fs.suid_dumpable=0
/etc/sysctl.d/98-imthenachoman-sysctl.conf
fs.file-max = 65535
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.suid_dumpable = 0
kernel.core_uses_pid = 1
kernel.ctrl-alt-del = 0
kernel.kptr_restrict = 2
kernel.maps_protect = 1
kernel.msgmax = 65535
kernel.msgmnb = 65535
kernel.pid_max = 65535
kernel.randomize_va_space = 2
kernel.shmall = 268435456
kernel.shmmax = 268435456
kernel.sysrq = 0
net.core.default_qdisc = fq
net.core.dev_weight = 64
net.core.netdev_max_backlog = 16384
net.core.optmem_max = 65535
net.core.rmem_default = 262144
net.core.rmem_max = 16777216
net.core.somaxconn = 32768
net.core.wmem_default = 262144
net.core.wmem_max = 16777216
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.forwarding = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0 # change eth0 to your network interface
net.ipv4.conf.eth0.accept_source_route = 0 # change eth0 to your network interface
net.ipv4.conf.eth0.log_martians = 0 # change eth0 to your network interface
net.ipv4.conf.eth0.rp_filter = 1 # change eth0 to your network interface
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.ip_local_port_range = 2000 65000
net.ipv4.ipfrag_high_thresh = 262144
net.ipv4.ipfrag_low_thresh = 196608
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.gc_thresh1 = 32
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh3 = 2048
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
net.ipv4.route.flush = 1
net.ipv4.tcp_congestion_control = htcp
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_fastopen = 3
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_time = 1800
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.tcp_sack = 0
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.eth0.accept_ra=0 # change eth0 to your network interface
net.ipv6.conf.eth0.autoconf = 0 # change eth0 to your network interface
net.ipv6.ip6frag_high_thresh = 262144
net.ipv6.ip6frag_low_thresh = 196608
net.ipv6.route.flush = 1
net.unix.max_dgram_qlen = 50
vm.dirty_background_ratio = 5
vm.dirty_ratio = 30
vm.min_free_kbytes = 65535
vm.mmap_min_addr = 4096
vm.overcommit_memory = 0
vm.overcommit_ratio = 50
vm.swappiness = 30
/etc/sysctl.d/98-2dure-sysctl.conf
## Prevent kernel info leaks in console during boot.
## https://phabricator.whonix.org/T950
kernel.printk = 3 3 3 3
## Disable core dump
kernel.core_pattern = |/bin/false
## Disable io_uring
## https://lore.kernel.org/lkml/[email protected]/T/
## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
kernel.io_uring_disabled = 2
# Disables user namespaces
# DO NOT REMOVE
# https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj
user.max_user_namespaces = 0
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap
vm.swappiness=1
kernel.panic=10