# Copyright 2016 Google Inc. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # Google-recommended kernel parameters # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss # of TCP functionality/features under normal conditions. When flood # protections kick in under high unanswered-SYN load, the system # should remain more stable, with a trade off of some loss of TCP # functionality/features (e.g. TCP Window scaling). net.ipv4.tcp_syncookies=1 # Ignore source-routed packets net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 # Ignore ICMP redirects from non-GW hosts net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1 # Don't pass traffic between networks or act as a router net.ipv4.ip_forward=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks. net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 # Ignore ICMP broadcasts to avoid participating in Smurf attacks net.ipv4.icmp_echo_ignore_broadcasts=1 # Ignore bad ICMP errors net.ipv4.icmp_ignore_bogus_error_responses=1 # Log spoofed, source-routed, and redirect packets net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 # RFC 1337 fix net.ipv4.tcp_rfc1337=1 # Addresses of mmap base, heap, stack and VDSO page are randomized kernel.randomize_va_space=2 # Reboot the machine soon after a kernel panic. kernel.panic=10