update
This commit is contained in:
commit
ff3dbfc8d9
9
.gitignore
vendored
Normal file
9
.gitignore
vendored
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
### Example user template template
|
||||||
|
### Example user template
|
||||||
|
|
||||||
|
# IntelliJ project files
|
||||||
|
.idea
|
||||||
|
*.iml
|
||||||
|
out
|
||||||
|
gen
|
||||||
|
.vscode/
|
193
README.md
Normal file
193
README.md
Normal file
|
@ -0,0 +1,193 @@
|
||||||
|
![logo](./security-default.png)
|
||||||
|
<h1 align="center">Welcome to SecurityVPS 👋</h1>
|
||||||
|
<p>
|
||||||
|
<img alt="Version" src="https://img.shields.io/badge/version-1.0-blue.svg?cacheSeconds=2592000" />
|
||||||
|
<a href="#" target="_blank">
|
||||||
|
<img alt="License: GPLv3" src="https://img.shields.io/badge/License-GPLv3-yellow.svg" />
|
||||||
|
</a>
|
||||||
|
</p>
|
||||||
|
|
||||||
|
|
||||||
|
> Security Default VPS Debian 11 / Guide by Свободный Волк ;)
|
||||||
|
|
||||||
|
#### Создаем ключи ssh (Пароль должен быть стойким)
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ ssh-keygen -a 32 -t rsa -b 4096 -C 'libre'
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Копируем наши созданные ключи на тачку
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ ssh-copy-id root@195.0.0.201
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Коннектимся к нашей тачке
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ ssh root@195.0.0.201
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Обновляем нашу тачку
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ apt update && apt upgrade -y
|
||||||
|
~$ apt -y install sudo whois curl mc git autoconf make tcpdump \
|
||||||
|
tree screen htop tree apt-transport-https neofetch net-tools macchanger \
|
||||||
|
debsums debsecan fail2ban rkhunter ufw unattended-upgrades
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Включить автоматическое обновление
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ apt update && apt -y dist-upgrade
|
||||||
|
~$ dpkg-reconfigure --priority=low unattended-upgrades
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Редактируем наш баннер
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ nano /etc/motd
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Редактируем наш issue на Windows Server
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ echo 'Windows Server 2016' > /etc/issue.net
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Создаем нового юзера для входа из под него
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ adduser libre
|
||||||
|
~$ usermod -aG sudo libre
|
||||||
|
~$ reboot
|
||||||
|
```
|
||||||
|
#### В отдельном терминале копируем ключи для нового юзера
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ ssh-copy-id libre@195.0.0.201
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Коннектимся к нашей тачке
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ ssh root@195.0.0.201
|
||||||
|
```
|
||||||
|
#### Редактируем наш sshd config
|
||||||
|
|
||||||
|
```sh
|
||||||
|
# https://man.openbsd.org/sshd_config.5
|
||||||
|
|
||||||
|
~$ sshd -T
|
||||||
|
|
||||||
|
~$ nano /etc/ssh/sshd_config
|
||||||
|
```
|
||||||
|
|
||||||
|
Заменяем на: [sshd_config](./sshd_config)
|
||||||
|
|
||||||
|
```sh
|
||||||
|
# перезагружаем sshd
|
||||||
|
|
||||||
|
~$ service sshd reload
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Редактируем наш sysctl.conf
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ nano /etc/sysctl.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
Заменяем на: [sysctl.conf](./sysctl.conf)
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ sysctl -p
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Удалить все ключи Диффи-Хеллмана длиной менее 3072 бит
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ sudo cp --archive /etc/ssh/moduli /etc/ssh/moduli-COPY-$(date +"%Y%m%d%H%M%S")
|
||||||
|
~$ sudo awk '$5 >= 3071' /etc/ssh/moduli | sudo tee /etc/ssh/moduli.tmp
|
||||||
|
~$ sudo mv /etc/ssh/moduli.tmp /etc/ssh/moduli
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Создаем конфиг для удобного коннекта
|
||||||
|
|
||||||
|
```sh
|
||||||
|
Host libre
|
||||||
|
User libre
|
||||||
|
port 1337
|
||||||
|
HostName 195.0.0.201
|
||||||
|
MACs hmac-sha2-512
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org
|
||||||
|
VisualHostKey no
|
||||||
|
IdentityFile ~/.ssh/id_rsa
|
||||||
|
|
||||||
|
~$ nano ~/.ssh/config
|
||||||
|
|
||||||
|
~$ chmod 644 ~/.ssh/config
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Коннектимся к нашей тачке
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ ssh libre@195.0.0.201
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Закройте не нужные порты если они есть
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ sudo ss -tulpn
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Установите Rkhunter
|
||||||
|
|
||||||
|
```sh
|
||||||
|
Отредактируйте /etc/rkhunter.conf файл с помощью nano
|
||||||
|
|
||||||
|
#Enable the mirror checks.
|
||||||
|
UPDATE_MIRRORS=1
|
||||||
|
|
||||||
|
#Tells rkhunter to use any mirror.
|
||||||
|
MIRRORS_MODE=0
|
||||||
|
|
||||||
|
#Specify a command which rkhunter will use when downloading files from the Internet
|
||||||
|
WEB_CMD=""
|
||||||
|
|
||||||
|
~$ sed -i -r -e '/^#|^$/ d' /etc/rkhunter.conf
|
||||||
|
~$ sudo nano /etc/rkhunter.conf
|
||||||
|
~$ sudo rkhunter -C
|
||||||
|
~$ sudo rkhunter --update
|
||||||
|
~$ sudo rkhunter --propupd
|
||||||
|
~$ sudo rkhunter --check --sk
|
||||||
|
```
|
||||||
|
|
||||||
|
#### Installation Lynis
|
||||||
|
|
||||||
|
```sh
|
||||||
|
~$ cd /usr/local
|
||||||
|
~$ git clone https://github.com/CISOfy/lynis
|
||||||
|
~$ cd lynis
|
||||||
|
~$ ./lynis audit system --quick
|
||||||
|
```
|
||||||
|
### TODO:
|
||||||
|
|
||||||
|
* Add script autoInstall
|
||||||
|
* Add Firewall configuration
|
||||||
|
* Add Traffic Noisy
|
||||||
|
* More Security
|
||||||
|
* ClamAV
|
||||||
|
|
||||||
|
### Author
|
||||||
|
👤 **Librewolf**
|
||||||
|
|
||||||
|
* Open Source: https://t.me/ThisOpenSource
|
||||||
|
|
||||||
|
### Show your support
|
||||||
|
|
||||||
|
Give a ⭐️ if this project helped you!
|
||||||
|
|
||||||
|
### License
|
||||||
|
|
||||||
|
`Distributed under the GPL V3 License. See LICENSE for more information`
|
7
config
Normal file
7
config
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
Host libre
|
||||||
|
User libre
|
||||||
|
port 1337
|
||||||
|
HostName 195.0.0.201
|
||||||
|
MACs hmac-sha2-512
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org
|
||||||
|
IdentityFile ~/.ssh/id_rsa
|
6
motd
Normal file
6
motd
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
_ _ _ _ __
|
||||||
|
| | (_) |__ _ _ _____ __ _____| |/ _|
|
||||||
|
| |__| | '_ \ '_/ -_) V V / _ \ | _|
|
||||||
|
|____|_|_.__/_| \___|\_/\_/\___/_|_|
|
||||||
|
----- Mail: secven@riseup.net -----
|
||||||
|
|
BIN
security-default.png
Normal file
BIN
security-default.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 215 KiB |
26
shmsetup.sh
Executable file
26
shmsetup.sh
Executable file
|
@ -0,0 +1,26 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
func_check_for_root() {
|
||||||
|
if [ ! $( id -u ) -eq 0 ]; then
|
||||||
|
echo "ERROR: $0 Must be run as root, Script terminating" ;exit 7
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
fn_limits() {
|
||||||
|
cat >>/etc/security/limits.conf <<EOL
|
||||||
|
* soft nproc 999999
|
||||||
|
* hard nproc 999999
|
||||||
|
* soft nofile 999999
|
||||||
|
* hard nofile 999999
|
||||||
|
EOL
|
||||||
|
}
|
||||||
|
|
||||||
|
func_check_for_root
|
||||||
|
#fn_limits
|
||||||
|
|
||||||
|
page_size=$(getconf PAGE_SIZE)
|
||||||
|
phys_pages=$(getconf _PHYS_PAGES)
|
||||||
|
shmall=$(expr $phys_pages / 2)
|
||||||
|
shmmax=$(expr $shmall \* $page_size)
|
||||||
|
echo kernel.shmmax = $shmmax
|
||||||
|
echo kernel.shmall = $shmall
|
45
sshd_config
Normal file
45
sshd_config
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
# _ _ _ _ __
|
||||||
|
# | | (_) |__ _ _ _____ __ _____| |/ _|
|
||||||
|
# | |__| | '_ \ '_/ -_) V V / _ \ | _|
|
||||||
|
# |____|_|_.__/_| \___|\_/\_/\___/_|_|
|
||||||
|
# ----- Mail: secven@riseup.net -----
|
||||||
|
|
||||||
|
Protocol 2
|
||||||
|
Port 1337
|
||||||
|
|
||||||
|
# Supported HostKey algorithms by order of preference.
|
||||||
|
HostKey /etc/ssh/ssh_host_ed25519_key
|
||||||
|
HostKey /etc/ssh/ssh_host_rsa_key
|
||||||
|
|
||||||
|
UsePAM yes
|
||||||
|
MaxAuthTries 2
|
||||||
|
LoginGraceTime 20
|
||||||
|
MaxSessions 2
|
||||||
|
Compression no
|
||||||
|
PermitRootLogin no
|
||||||
|
LogLevel VERBOSE
|
||||||
|
TCPKeepAlive no
|
||||||
|
PubkeyAuthentication yes
|
||||||
|
PasswordAuthentication no
|
||||||
|
PermitEmptyPasswords no
|
||||||
|
X11Forwarding no
|
||||||
|
ClientAliveCountMax 2
|
||||||
|
# Privilege Separation is turned on for security
|
||||||
|
UsePrivilegeSeparation yes
|
||||||
|
# disable port forwarding
|
||||||
|
AllowTcpForwarding no
|
||||||
|
AllowStreamLocalForwarding no
|
||||||
|
AllowAgentForwarding no
|
||||||
|
GatewayPorts no
|
||||||
|
PermitTunnel no
|
||||||
|
|
||||||
|
# ignore .rhosts and .shosts
|
||||||
|
IgnoreRhosts yes
|
||||||
|
|
||||||
|
ChallengeResponseAuthentication no
|
||||||
|
AcceptEnv LANG LC_*
|
||||||
|
Subsystem sftp /usr/lib/openssh/sftp-server
|
||||||
|
# Cipher selection
|
||||||
|
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
|
||||||
|
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
|
||||||
|
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1
|
200
sysctl.conf
Normal file
200
sysctl.conf
Normal file
|
@ -0,0 +1,200 @@
|
||||||
|
# _ _ _ _ __
|
||||||
|
# | | (_) |__ _ _ _____ __ _____| |/ _|
|
||||||
|
# | |__| | '_ \ '_/ -_) V V / _ \ | _|
|
||||||
|
# |____|_|_.__/_| \___|\_/\_/\___/_|_|
|
||||||
|
# Mail: secven@riseup.net
|
||||||
|
# use sudo sysctl -p
|
||||||
|
|
||||||
|
# Set maximum amount of memory allocated to shm to 256MB
|
||||||
|
#kernel.shmmax = 268435456
|
||||||
|
#kernel.shmall = 268435456
|
||||||
|
|
||||||
|
# Prefer caching pages over inodes/dentries
|
||||||
|
vm.dirty_bytes = 2097152
|
||||||
|
vm.dirty_background_bytes = 2097152
|
||||||
|
vm.vfs_cache_pressure = 1000
|
||||||
|
|
||||||
|
# ("Too many open files fix")
|
||||||
|
fs.file-max = 2097152
|
||||||
|
|
||||||
|
# Prevent setuid processes from creating coredumps.
|
||||||
|
fs.suid_dumpable=0
|
||||||
|
|
||||||
|
# Prohibit unreferencing links to files
|
||||||
|
fs.protected_symlinks = 1
|
||||||
|
fs.protected_hardlinks = 1
|
||||||
|
|
||||||
|
# Don't allow writes to files that we don't own
|
||||||
|
# in world writable sticky directories, unless
|
||||||
|
# they are owned by the owner of the directory.
|
||||||
|
fs.protected_fifos=2
|
||||||
|
fs.protected_regular=2
|
||||||
|
|
||||||
|
# Only allow the SysRq key to be used for shutdowns and the
|
||||||
|
# Secure Attention Key (SAK).
|
||||||
|
kernel.sysrq=132
|
||||||
|
|
||||||
|
# Activate ASLR
|
||||||
|
kernel.randomize_va_space = 2
|
||||||
|
|
||||||
|
# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
|
||||||
|
# unprivileged attackers from loading vulnerable line disciplines
|
||||||
|
# with the TIOCSETD ioctl which has been used in exploits before
|
||||||
|
# such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
|
||||||
|
#
|
||||||
|
# https://lkml.org/lkml/2019/4/15/890
|
||||||
|
dev.tty.ldisc_autoload=0
|
||||||
|
|
||||||
|
# Restrict the userfaultfd() syscall to root as it can make heap sprays
|
||||||
|
vm.unprivileged_userfaultfd=0
|
||||||
|
|
||||||
|
# Prohibit mapping of memory in low addresses (0)
|
||||||
|
vm.mmap_min_addr = 65536
|
||||||
|
|
||||||
|
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
|
||||||
|
kernel.pid_max = 65536
|
||||||
|
kernel.panic = 10
|
||||||
|
|
||||||
|
# Controls the maximum size of a message, in bytes
|
||||||
|
kernel.msgmnb = 65535
|
||||||
|
|
||||||
|
# Controls the default maxmimum size of a mesage queue
|
||||||
|
kernel.msgmax = 65535
|
||||||
|
|
||||||
|
# Prevent kernel info leaks in console during boot.
|
||||||
|
# https://phabricator.whonix.org/T950
|
||||||
|
kernel.printk = 3 3 3 3
|
||||||
|
|
||||||
|
# Obfuscation of addresses memory kernel
|
||||||
|
kernel.kptr_restrict = 1
|
||||||
|
|
||||||
|
# Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
|
||||||
|
kernel.core_pattern=|/bin/false
|
||||||
|
|
||||||
|
# Restricts the kernel log to root only.
|
||||||
|
kernel.dmesg_restrict=1
|
||||||
|
|
||||||
|
# Restricts the use of the perf system
|
||||||
|
kernel.perf_event_paranoid = 3
|
||||||
|
kernel.perf_event_max_sample_rate = 1
|
||||||
|
kernel.perf_cpu_time_max_percent = 1
|
||||||
|
|
||||||
|
# Restricts the use of ptrace to root. This might break some programs running under WINE.
|
||||||
|
# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
|
||||||
|
#
|
||||||
|
# sudo apt-get install libcap2-bin
|
||||||
|
# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
|
||||||
|
# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
|
||||||
|
kernel.yama.ptrace_scope=2
|
||||||
|
|
||||||
|
# Disables kexec which can be used to replace the running kernel.
|
||||||
|
kernel.kexec_load_disabled=1
|
||||||
|
|
||||||
|
# Improves ASLR effectiveness for mmap.
|
||||||
|
vm.mmap_rnd_bits=32
|
||||||
|
vm.mmap_rnd_compat_bits=16
|
||||||
|
|
||||||
|
# Disable User Namespaces
|
||||||
|
user.max_user_namespaces = 0
|
||||||
|
|
||||||
|
# Hardens the BPF JIT compiler and restricts it to root.
|
||||||
|
kernel.unprivileged_bpf_disabled=1
|
||||||
|
net.core.bpf_jit_harden=2
|
||||||
|
|
||||||
|
# TCP SYN cookie protection
|
||||||
|
net.ipv4.tcp_syncookies = 1
|
||||||
|
|
||||||
|
# TCP rfc1337
|
||||||
|
net.ipv4.tcp_rfc1337 = 1
|
||||||
|
|
||||||
|
# Reverse path filtering
|
||||||
|
net.ipv4.conf.default.rp_filter = 1
|
||||||
|
net.ipv4.conf.all.rp_filter = 1
|
||||||
|
|
||||||
|
# Log martian packets
|
||||||
|
net.ipv4.conf.default.log_martians = 1
|
||||||
|
net.ipv4.conf.all.log_martians = 1
|
||||||
|
|
||||||
|
# Disables ICMP redirect acceptance.
|
||||||
|
net.ipv4.conf.all.accept_redirects=0
|
||||||
|
net.ipv4.conf.default.accept_redirects=0
|
||||||
|
net.ipv4.conf.all.secure_redirects=0
|
||||||
|
net.ipv4.conf.default.secure_redirects=0
|
||||||
|
net.ipv6.conf.all.accept_redirects=0
|
||||||
|
net.ipv6.conf.default.accept_redirects=0
|
||||||
|
|
||||||
|
# Disables ICMP redirect sending.
|
||||||
|
net.ipv4.conf.all.send_redirects=0
|
||||||
|
net.ipv4.conf.default.send_redirects=0
|
||||||
|
|
||||||
|
# Disable IP source routing
|
||||||
|
net.ipv4.conf.default.accept_source_route = 0
|
||||||
|
net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
|
||||||
|
# Ignore ICMP echo requests
|
||||||
|
net.ipv4.icmp_echo_ignore_all = 1
|
||||||
|
net.ipv6.icmp.echo_ignore_all = 1
|
||||||
|
|
||||||
|
# Ignoring broadcasts request
|
||||||
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||||
|
|
||||||
|
# An illicit router advertisement message could result in a man-in-the-middle attack.
|
||||||
|
net.ipv6.conf.default.accept_ra = 0
|
||||||
|
net.ipv6.conf.all.accept_ra = 0
|
||||||
|
|
||||||
|
# Disable ipv6
|
||||||
|
net.ipv6.conf.all.disable_ipv6 = 1
|
||||||
|
net.ipv6.conf.default.disable_ipv6 = 1
|
||||||
|
net.ipv6.conf.lo.disable_ipv6 = 1
|
||||||
|
|
||||||
|
# Ignore bogus ICMP error responses
|
||||||
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||||
|
|
||||||
|
# IP forwarding
|
||||||
|
net.ipv4.ip_forward = 0
|
||||||
|
|
||||||
|
# Keepalive packets to keep an connection alive
|
||||||
|
net.ipv4.tcp_keepalive_time = 180
|
||||||
|
net.ipv4.tcp_keepalive_intvl = 10
|
||||||
|
net.ipv4.tcp_keepalive_probes = 3
|
||||||
|
|
||||||
|
# TUNING NETWORK PERFORMANCE
|
||||||
|
net.ipv4.ip_local_port_range = 2000 65000
|
||||||
|
net.ipv4.tcp_rmem = 4096 87380 8388608
|
||||||
|
net.ipv4.tcp_wmem = 4096 87380 8388608
|
||||||
|
net.core.rmem_max = 8388608
|
||||||
|
net.core.wmem_max = 8388608
|
||||||
|
net.core.netdev_max_backlog = 5000
|
||||||
|
net.ipv4.tcp_window_scaling = 1
|
||||||
|
net.core.somaxconn = 65535
|
||||||
|
net.netfilter.nf_conntrack_max = 10000000
|
||||||
|
net.netfilter.nf_conntrack_tcp_loose = 0
|
||||||
|
net.netfilter.nf_conntrack_tcp_timeout_established = 800
|
||||||
|
net.netfilter.nf_conntrack_tcp_timeout_close = 10
|
||||||
|
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10
|
||||||
|
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 10
|
||||||
|
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 10
|
||||||
|
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 10
|
||||||
|
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 10
|
||||||
|
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
|
||||||
|
net.ipv4.tcp_slow_start_after_idle = 0
|
||||||
|
net.ipv4.ip_no_pmtu_disc = 1
|
||||||
|
net.ipv4.route.flush = 1
|
||||||
|
net.ipv4.route.max_size = 8048576
|
||||||
|
net.ipv4.tcp_mem = 65536 131072 262144
|
||||||
|
net.ipv4.udp_mem = 65536 131072 262144
|
||||||
|
net.ipv4.udp_rmem_min = 16384
|
||||||
|
net.ipv4.udp_wmem_min = 16384
|
||||||
|
net.ipv4.tcp_max_tw_buckets = 1440000
|
||||||
|
net.ipv4.tcp_tw_reuse = 1
|
||||||
|
net.ipv4.tcp_max_orphans = 400000
|
||||||
|
net.ipv4.tcp_syn_retries = 2
|
||||||
|
net.ipv4.tcp_timestamps = 1
|
||||||
|
net.ipv4.tcp_sack = 1
|
||||||
|
net.ipv4.tcp_fack = 1
|
||||||
|
net.ipv4.tcp_ecn = 2
|
||||||
|
net.ipv4.tcp_fin_timeout = 10
|
||||||
|
net.ipv4.tcp_no_metrics_save = 1
|
||||||
|
net.ipv4.tcp_mtu_probing = 1
|
||||||
|
net.ipv4.tcp_fastopen = 3
|
||||||
|
net.ipv4.tcp_congestion_control = hybla
|
Loading…
Reference in a new issue