# # sysctl.conf # # Default sysctl's for a dual-use webhosting/shell server # (with support for freebsd jails and Plesk compatability) # # 2001-2005 Developed and used on FreeBSD 4.x server(s) # 2003-2006 Run on production 5.x and 4.x servers # 2005-2008 Run on production 5.x and 6.x servers # # Zoidial, Inc. # Zoidial Publishing # Eric Thern eric(at)zoidial.com # # v0.1 06/03/2001 - initial release # v0.2 01/02/2002 - added more net.inet options # v0.3 01/03/2002 - added kern.ipc and kern.randompid stuff # v0.4 01/08/2003 - added some more nonsense and such. # v0.5 06/03/2003 - kern.maxfiles # AU/UK date scheme change, I think. oops? # v0.6 25/06/2003 - net.inet.ip.fw.one_pass=0 (from 1) # v0.7 08/07/2003 - net.inet.ip.fw.one_pass=1 (yeah, seems better this way?) # v0.8 15/10/2003 - net.inet.ip.dummynet.hash_size=2048 (added, more queue buckets) # v0.9 25/01/2003 - 5.2 COMPLIANT! , security.* stuff added for 5.x # - showallprocs sysctl from 4.x is now incorporated into the # - security.* sysctl's of 5.x systems. # v1.0 01/01/2008 - 6.x COMPLIANT - added some info on loader.conf variables # - fixed up a few limits # v1.1 31/10/2008 - Run on 7.x and 6.x FreeBSD systems. # - Changed some limits for better ddos protection. # # DISCLAIMER: # Please review before putting this on your server blindly! # It works for us, it may not work for you! # Be careful setting /boot/loader.conf variables # # ############################# # // NETWORKING SYSCTL's // # ############################# # # limit responses to ICMP for bandwidth purposes # net.inet.icmp.icmplim=50 net.inet.icmp.maskrepl=0 net.inet.icmp.drop_redirect=1 net.inet.icmp.bmcastecho=0 # # icmp may NOT rst, thank you very much # this is helpful for those pesky spoofed icmp/udp floods # that end up taking up your outgoing bandwidth due to # all that outgoing RST traffic. # net.inet.tcp.icmp_may_rst=0 # # drop synfin packets -- we don't need no stinkin' synfin! # net.inet.tcp.drop_synfin=1 # # up the maximum connections allowed, good for ddos's # # kern.ipc.somaxconn # must set this in /boot/loader.conf # kern.ipc.somaxconn="2048" kern.ipc.somaxconn=2048 # # Forces a single pass through the firewall. If set to 0, # packets coming out of a pipe will be reinjected into the # firewall starting with the rule after the matching one. # NOTE: there is always one pass for bridged packets. # net.inet.ip.fw.one_pass=1 # # adds more queue buckets for ipfw dummynet # net.inet.ip.dummynet.hash_size=2048 # # increase the size of network mbufs to allocate # kern.ipc.nmbclusters=65536 # # this is actually a read-only sysctl variable # must be set in kernel to REALLY be set # to add to kernel: # options NMBCLUSTERS=32768 # # In FreeBSD 5.x this should work, however. # In FreeBSD 6.x this has been done away with, # and must be set in /boot/loader.conf # # kern.ipc.nmbclusers="65536" # # FROM: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/configtuning-kernel-limits.html # If you have a web server which maxes out at 1000 # simultaneous connections, and each connection eats # a 16 K receive and 16 K send buffer, you need approximately # 32 MB worth of network buffers to cover the web server. # A good rule of thumb is to multiply by 2, so 2x32 MB / 2 KB = # 64 MB / 2 kB = 32768 # # Setting too high may result in a kernel/bootup crash! # # # net.inet.tcp.msl defines the Maximum Segment Life - # # FROM: http://silverwraith.com/papers/freebsd-ddos.php # This is the maximum amount of time to wait for an ACK in reply # to a SYN-ACK or FIN-ACK, in milliseconds. If an ACK is not received # in this time, the segment can be considered "lost" and the network # connection is freed. # # There are two implications for this. When you are trying to close a # connection, if the final ACK is lost or delayed, the socket will still # close, and more quickly. However if a client is trying to open a # connection to you and their ACK is delayed more than 7500ms, the # connection will not form. RFC 753 defines the MSL as 120 seconds # (120000ms), however this was written in 1979 and timing issues have # changed slightly since then. Today, FreeBSD's default is 30000ms. This # is sufficient for most conditions, but for stronger DoS protection # you will want to lower this to 7500, or maybe even less. # net.inet.tcp.msl=7500 # # stealth IP networking ( 0 = off ) # net.inet.ip.stealth=0 # # set rfc extensions (time stamps on netcraft) # set to 0 if you don't want this to show # net.inet.tcp.rfc1323=0 # # security against stealth port scans and some DoS attacks # net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 # # stops some syn flood attacks, and route cache degregation during a high-bandwidth flood # net.inet.ip.rtexpire=2 net.inet.ip.rtminexpire=2 net.inet.ip.rtmaxcache=256 # # don't accept sourcerouted packets (they are evil, gross, and have cooties) # net.inet.ip.accept_sourceroute=0 net.inet.ip.sourceroute=0 # # don't log arp responses when you have two interfaces # this gets way annoying when you have , say, fxp1 and fxp0 on two separate networks # but are on the same physical line or hub/switch # net.link.ether.inet.log_arp_wrong_iface=0 ####################### # // IPCS SYSCTL's // # ####################### # # 128MB memory reserved # kern.ipc.shmmax=134217728 # # # kern.ipc.shmall=32768 # # # kern.ipc.semmap=256 ########################## # // PROCESS SYSCTL's // # ########################## # # show only those processes of which you own # #kern.ps_showallprocs=0 # # NOTE: in FreeBSD 5.x, this is no longer a sysctl variable. # please see the security sysctl's below, there are two variables there # that restrict process viewing by UID and GID. # # # show only the basic process, no arguments # examples (non root user running ps on a specific PID): # # with this set to 1: # PID TT STAT TIME COMMAND # 3989 ?? SNs 0:19.86 /usr/sbin/named -u bind -g bind -c named.conf -t /etc/namedb # # with this set to 0: # PID TT STAT TIME COMMAND # 3989 ?? SNs 0:19.86 (named) # # obviously obscures things in a more fundamental way when set to zero. # #kern.ps_argsopen=0 # # randomize process ID's ... keep them guessing! # # change this number to some random number that suits you # kern.randompid=348 ####################### # // JAIL SYSCTL's // # ####################### # # jail settings for extra security # # # allow sysvipc shared memory within jails # safer to set to 0, however a lot of things require this # # postgresql, apache (sometimes), and other programs. # security.jail.sysvipc_allowed=1 # # # security.jail.jailed=0 # # # security.jail.jailed_sockets_first=1 # # when set to 0, will not allow any user to change chflags on files from within the jail # this applies even to the root user uid=0 within the jail. # # useful to keep some extra security on some files within the jail as the main administrator # of the underlying machine. # # set to 1 to allow chflags to be changed. # security.jail.chflags_allowed=0 # # allows ping, traceroute and other utils to work. Not so safe within jail, but nice to have # the option to ping from a jail! # security.jail.allow_raw_sockets=1 # # statfs of 0 = show all mounts within jail (even subsystem mounts not accessible by jail) # statfs of 1 = show all mounts mounted under root jail subsystem (ie, /dev, /tmp, /, etc.) # statfs of 2 = only show single / mount within jail # # some scripts prefer being able to see /dev or /compat/linux/proc if they require it # for example, some linux compat stuff, etc. -- this requires statfs=1 # security.jail.enforce_statfs=1 # # setting sysvipc to 1 allows for shared memory segments to be viewable throughout # the entire system, this COULD BE USED MALICIOUSLY. # However, I need this to run things within jails that require SYSVIPC. # # a possible fix for this would be to install some patches to the jail system that provide # unique memory segments for each jail. Found at http://garage.freebsd.pl # I haven't played with this much, the only time i've tried it, it would never patch my source cleanly # so I gave up. # security.jail.sysvipc_allowed=1 security.jail.socket_unixiproute_only=0 security.jail.set_hostname_allowed=1 ########################### # // SECURITY SYSCTL's // # ########################### # # settings to secure the system a bit # # # these two are set to defaults security.bsd.unprivileged_proc_debug=1 security.bsd.conservative_signals=1 # # don't want normal users seeing what other people or groups are running! # (this also applies to all jailed systems) # security.bsd.see_other_gids=0 security.bsd.see_other_uids=0 # default here is '1' security.bsd.suser_enabled=1 # # We don't want people being able to read msgbuf of the entire system # ESPECIALLY not client jails! With this enabled (set to =1), they can see the logs of the subsystem! # (and thats no good, in case you weren't thinking) # security.bsd.unprivileged_read_msgbuf=0 security.bsd.hardlink_check_gid=0 security.bsd.hardlink_check_uid=0 # # by default this is '0' security.bsd.unprivileged_get_quota=0 ######################### # // KERNEL SYSCTL's // # ######################### # # update maximum files allowed for the kernel # kern.maxfiles=65536