nixos,core,sysctl: performance optimisation
This commit is contained in:
parent
714f92eb81
commit
892b910d04
1 changed files with 29 additions and 17 deletions
|
@ -1,50 +1,62 @@
|
||||||
{...}: {
|
{...}: {
|
||||||
# All sysctl-s are from https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
boot.kernelModules = ["tcp_bbr"];
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
|
### https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||||
# Kernel self-protection
|
# Kernel self-protection
|
||||||
"kernel.kptr_restrict" = "2"; # Kernel pointer
|
"kernel.kptr_restrict" = "2";
|
||||||
"kernel.dmesg_restrict" = "1"; # restricts dmesg
|
"kernel.dmesg_restrict" = "1";
|
||||||
"kernel.printk" = "3 3 3 3"; # disable kernel log at boot time
|
"kernel.printk" = "3 3 3 3"; #
|
||||||
"kernel.unprivileged_bpf_disabled" = "1"; # eBPF
|
"kernel.unprivileged_bpf_disabled" = "1";
|
||||||
"net.core.bpf_jit_harden" = "2"; # eBPF
|
"net.core.bpf_jit_harden" = "2";
|
||||||
"dev.tty.ldisc_autoload" = "0"; # tty
|
"dev.tty.ldisc_autoload" = "0";
|
||||||
"vm.unprivileged_userfaultfd" = "0";
|
"vm.unprivileged_userfaultfd" = "0";
|
||||||
"kernel.kexec_load_disabled" = "1";
|
"kernel.kexec_load_disabled" = "1";
|
||||||
"kernel.sysrq" = "4"; # disable magic sysrq
|
"kernel.sysrq" = "4"; #
|
||||||
#"kernel.unprivileged_userns_clone" = "0"; # does not exist on nixos
|
#"kernel.unprivileged_userns_clone" = "0"; # does not exist on nixos
|
||||||
"kernel.perf_event_paranoid" = "3";
|
"kernel.perf_event_paranoid" = "3";
|
||||||
|
|
||||||
# Network
|
# Network
|
||||||
"net.ipv4.tcp_syncookies" = "1"; # against SYN flood attacks
|
"net.ipv4.tcp_syncookies" = "1";
|
||||||
"net.ipv4.tcp_rfc1337" = "1"; # against time-wait assassination
|
"net.ipv4.tcp_rfc1337" = "1";
|
||||||
"net.ipv4.conf.all.rp_filter" = "1"; # against IP spoofing
|
"net.ipv4.conf.all.rp_filter" = "1";
|
||||||
"net.ipv4.conf.default.rp_filter" = "1";
|
"net.ipv4.conf.default.rp_filter" = "1";
|
||||||
"net.ipv4.conf.all.accept_redirects" = "0";
|
"net.ipv4.conf.all.accept_redirects" = "0";
|
||||||
"net.ipv4.conf.default.accept_redirects" = "0"; # disable ICMP redirect acceptance and sending, against MITM
|
"net.ipv4.conf.default.accept_redirects" = "0";
|
||||||
"net.ipv4.conf.all.secure_redirects" = "0";
|
"net.ipv4.conf.all.secure_redirects" = "0";
|
||||||
"net.ipv4.conf.default.secure_redirects" = "0";
|
"net.ipv4.conf.default.secure_redirects" = "0";
|
||||||
"net.ipv6.conf.all.accept_redirects" = "0";
|
"net.ipv6.conf.all.accept_redirects" = "0";
|
||||||
"net.ipv6.conf.default.accept_redirects" = "0";
|
"net.ipv6.conf.default.accept_redirects" = "0";
|
||||||
"net.ipv4.conf.all.send_redirects" = "0";
|
"net.ipv4.conf.all.send_redirects" = "0";
|
||||||
"net.ipv4.conf.default.send_redirects" = "0";
|
"net.ipv4.conf.default.send_redirects" = "0";
|
||||||
"net.ipv4.icmp_echo_ignore_all" = "1"; # ignore all ICMP req, against smurf attacks
|
"net.ipv4.icmp_echo_ignore_all" = "1";
|
||||||
"net.ipv4.conf.all.accept_source_route" = "0";
|
"net.ipv4.conf.all.accept_source_route" = "0";
|
||||||
"net.ipv4.conf.default.accept_source_route" = "0";
|
"net.ipv4.conf.default.accept_source_route" = "0";
|
||||||
"net.ipv6.conf.all.accept_source_route" = "0";
|
"net.ipv6.conf.all.accept_source_route" = "0";
|
||||||
"net.ipv6.conf.default.accept_source_route" = "0";
|
"net.ipv6.conf.default.accept_source_route" = "0";
|
||||||
"net.ipv6.conf.all.accept_ra" = "0"; # MITM
|
"net.ipv6.conf.all.accept_ra" = "0";
|
||||||
"net.ipv6.conf.default.accept_ra" = "0";
|
"net.ipv6.conf.default.accept_ra" = "0";
|
||||||
"net.ipv4.tcp_sack" = "0"; # disable TCP SACK
|
"net.ipv4.tcp_sack" = "0";
|
||||||
"net.ipv4.tcp_dsack" = "0";
|
"net.ipv4.tcp_dsack" = "0";
|
||||||
"net.ipv4.tcp_fack" = "0";
|
"net.ipv4.tcp_fack" = "0";
|
||||||
|
|
||||||
# User Space
|
# User Space
|
||||||
"kernel.yama.ptrace_scope" = "2"; # restricts usage of ptrace
|
"kernel.yama.ptrace_scope" = "2";
|
||||||
"vm.mmap_rnd_bits" = "32"; # ASLR
|
"vm.mmap_rnd_bits" = "32";
|
||||||
"vm.mmap_rnd_compat_bits" = "16";
|
"vm.mmap_rnd_compat_bits" = "16";
|
||||||
"fs.protected_symlinks" = "1";
|
"fs.protected_symlinks" = "1";
|
||||||
"fs.protected_hardlinks" = "1";
|
"fs.protected_hardlinks" = "1";
|
||||||
"fs.protected_fifos" = "2";
|
"fs.protected_fifos" = "2";
|
||||||
"fs.protected_regular" = "2";
|
"fs.protected_regular" = "2";
|
||||||
|
|
||||||
|
### https://wiki.archlinux.org/title/Sysctl#Improving_performance
|
||||||
|
"net.ipv4.tcp_fastopen" = "3";
|
||||||
|
|
||||||
|
"net.ipv4.tcp_keepalive_time" = "80";
|
||||||
|
"net.ipv4.tcp_keepalive_intvl" = "10";
|
||||||
|
"net.ipv4.tcp_keepalive_probes" = "6";
|
||||||
|
"net.ipv4.tcp_mtu_probing" = "1";
|
||||||
|
|
||||||
|
"net.core.default_qdisc" = "cake";
|
||||||
|
"net.ipv4.tcp_congestion_control" = "bbr";
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue