nixos,core,sysctl: performance optimisation

This commit is contained in:
Guanran Wang 2023-11-18 12:39:42 +08:00
parent 714f92eb81
commit 892b910d04
Signed by: nyancat
SSH key fingerprint: SHA256:8oWGKciPALWut/6WA27oFKofX+6Wtc0gQnsefXLQx/8

View file

@ -1,50 +1,62 @@
{...}: { {...}: {
# All sysctl-s are from https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl boot.kernelModules = ["tcp_bbr"];
boot.kernel.sysctl = { boot.kernel.sysctl = {
### https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Kernel self-protection # Kernel self-protection
"kernel.kptr_restrict" = "2"; # Kernel pointer "kernel.kptr_restrict" = "2";
"kernel.dmesg_restrict" = "1"; # restricts dmesg "kernel.dmesg_restrict" = "1";
"kernel.printk" = "3 3 3 3"; # disable kernel log at boot time "kernel.printk" = "3 3 3 3"; #
"kernel.unprivileged_bpf_disabled" = "1"; # eBPF "kernel.unprivileged_bpf_disabled" = "1";
"net.core.bpf_jit_harden" = "2"; # eBPF "net.core.bpf_jit_harden" = "2";
"dev.tty.ldisc_autoload" = "0"; # tty "dev.tty.ldisc_autoload" = "0";
"vm.unprivileged_userfaultfd" = "0"; "vm.unprivileged_userfaultfd" = "0";
"kernel.kexec_load_disabled" = "1"; "kernel.kexec_load_disabled" = "1";
"kernel.sysrq" = "4"; # disable magic sysrq "kernel.sysrq" = "4"; #
#"kernel.unprivileged_userns_clone" = "0"; # does not exist on nixos #"kernel.unprivileged_userns_clone" = "0"; # does not exist on nixos
"kernel.perf_event_paranoid" = "3"; "kernel.perf_event_paranoid" = "3";
# Network # Network
"net.ipv4.tcp_syncookies" = "1"; # against SYN flood attacks "net.ipv4.tcp_syncookies" = "1";
"net.ipv4.tcp_rfc1337" = "1"; # against time-wait assassination "net.ipv4.tcp_rfc1337" = "1";
"net.ipv4.conf.all.rp_filter" = "1"; # against IP spoofing "net.ipv4.conf.all.rp_filter" = "1";
"net.ipv4.conf.default.rp_filter" = "1"; "net.ipv4.conf.default.rp_filter" = "1";
"net.ipv4.conf.all.accept_redirects" = "0"; "net.ipv4.conf.all.accept_redirects" = "0";
"net.ipv4.conf.default.accept_redirects" = "0"; # disable ICMP redirect acceptance and sending, against MITM "net.ipv4.conf.default.accept_redirects" = "0";
"net.ipv4.conf.all.secure_redirects" = "0"; "net.ipv4.conf.all.secure_redirects" = "0";
"net.ipv4.conf.default.secure_redirects" = "0"; "net.ipv4.conf.default.secure_redirects" = "0";
"net.ipv6.conf.all.accept_redirects" = "0"; "net.ipv6.conf.all.accept_redirects" = "0";
"net.ipv6.conf.default.accept_redirects" = "0"; "net.ipv6.conf.default.accept_redirects" = "0";
"net.ipv4.conf.all.send_redirects" = "0"; "net.ipv4.conf.all.send_redirects" = "0";
"net.ipv4.conf.default.send_redirects" = "0"; "net.ipv4.conf.default.send_redirects" = "0";
"net.ipv4.icmp_echo_ignore_all" = "1"; # ignore all ICMP req, against smurf attacks "net.ipv4.icmp_echo_ignore_all" = "1";
"net.ipv4.conf.all.accept_source_route" = "0"; "net.ipv4.conf.all.accept_source_route" = "0";
"net.ipv4.conf.default.accept_source_route" = "0"; "net.ipv4.conf.default.accept_source_route" = "0";
"net.ipv6.conf.all.accept_source_route" = "0"; "net.ipv6.conf.all.accept_source_route" = "0";
"net.ipv6.conf.default.accept_source_route" = "0"; "net.ipv6.conf.default.accept_source_route" = "0";
"net.ipv6.conf.all.accept_ra" = "0"; # MITM "net.ipv6.conf.all.accept_ra" = "0";
"net.ipv6.conf.default.accept_ra" = "0"; "net.ipv6.conf.default.accept_ra" = "0";
"net.ipv4.tcp_sack" = "0"; # disable TCP SACK "net.ipv4.tcp_sack" = "0";
"net.ipv4.tcp_dsack" = "0"; "net.ipv4.tcp_dsack" = "0";
"net.ipv4.tcp_fack" = "0"; "net.ipv4.tcp_fack" = "0";
# User Space # User Space
"kernel.yama.ptrace_scope" = "2"; # restricts usage of ptrace "kernel.yama.ptrace_scope" = "2";
"vm.mmap_rnd_bits" = "32"; # ASLR "vm.mmap_rnd_bits" = "32";
"vm.mmap_rnd_compat_bits" = "16"; "vm.mmap_rnd_compat_bits" = "16";
"fs.protected_symlinks" = "1"; "fs.protected_symlinks" = "1";
"fs.protected_hardlinks" = "1"; "fs.protected_hardlinks" = "1";
"fs.protected_fifos" = "2"; "fs.protected_fifos" = "2";
"fs.protected_regular" = "2"; "fs.protected_regular" = "2";
### https://wiki.archlinux.org/title/Sysctl#Improving_performance
"net.ipv4.tcp_fastopen" = "3";
"net.ipv4.tcp_keepalive_time" = "80";
"net.ipv4.tcp_keepalive_intvl" = "10";
"net.ipv4.tcp_keepalive_probes" = "6";
"net.ipv4.tcp_mtu_probing" = "1";
"net.core.default_qdisc" = "cake";
"net.ipv4.tcp_congestion_control" = "bbr";
}; };
} }