roles/common: Add sysctl template for Debian hosts
Note: I've only tested this on a Debian container, and you can't set these sysctls on containers (the host controls them). To make matters worse, there is no fact to make ansible skip this on hosts that are running in containers. For now I will just skip it on hosts that are "virtualization" servers... even though we actually do have KVM running on Debian on real hardware. *sigh* Signed-off-by: Alan Orth <alan.orth@gmail.com>
This commit is contained in:
parent
56df8b38ca
commit
18ca44193d
GPG Key ID:
0FB860CC9C45B1B9
|
|
@ -23,7 +23,9 @@
|
|||
- include: sshd.yml
|
||||
tags: sshd
|
||||
|
||||
# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
|
||||
- name: Reconfigure /etc/sysctl.conf
|
||||
when: ansible_virtualization_role != 'host'
|
||||
template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- reload sysctl
|
||||
|
|
|
|||
|
|
@ -0,0 +1,114 @@
|
|||
#
|
||||
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||
# See /etc/sysctl.d/ for additional system variables
|
||||
# See sysctl.conf (5) for information.
|
||||
#
|
||||
|
||||
#kernel.domainname = example.com
|
||||
|
||||
# Uncomment the following to stop low-level messages on console
|
||||
#kernel.printk = 3 4 1 3
|
||||
|
||||
##############################################################3
|
||||
# Functions previously found in netbase
|
||||
#
|
||||
|
||||
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||
# Turn on Source Address Verification in all interfaces to
|
||||
# prevent some spoofing attacks
|
||||
#net.ipv4.conf.default.rp_filter=1
|
||||
#net.ipv4.conf.all.rp_filter=1
|
||||
|
||||
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||
# See http://lwn.net/Articles/277146/
|
||||
# Note: This may impact IPv6 TCP sessions too
|
||||
#net.ipv4.tcp_syncookies=1
|
||||
|
||||
# Uncomment the next line to enable packet forwarding for IPv4
|
||||
#net.ipv4.ip_forward=1
|
||||
|
||||
# Uncomment the next line to enable packet forwarding for IPv6
|
||||
# Enabling this option disables Stateless Address Autoconfiguration
|
||||
# based on Router Advertisements for this host
|
||||
#net.ipv6.conf.all.forwarding=1
|
||||
|
||||
|
||||
###################################################################
|
||||
# Additional settings - these settings can improve the network
|
||||
# security of the host and prevent against some network attacks
|
||||
# including spoofing attacks and man in the middle attacks through
|
||||
# redirection. Some network environments, however, require that these
|
||||
# settings are disabled so review and enable them as needed.
|
||||
#
|
||||
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||
#net.ipv4.conf.all.accept_redirects = 0
|
||||
#net.ipv6.conf.all.accept_redirects = 0
|
||||
# _or_
|
||||
# Accept ICMP redirects only for gateways listed in our default
|
||||
# gateway list (enabled by default)
|
||||
# net.ipv4.conf.all.secure_redirects = 1
|
||||
#
|
||||
# Do not send ICMP redirects (we are not a router)
|
||||
#net.ipv4.conf.all.send_redirects = 0
|
||||
#
|
||||
# Do not accept IP source route packets (we are not a router)
|
||||
#net.ipv4.conf.all.accept_source_route = 0
|
||||
#net.ipv6.conf.all.accept_source_route = 0
|
||||
#
|
||||
# Log Martian Packets
|
||||
#net.ipv4.conf.all.log_martians = 1
|
||||
#
|
||||
|
||||
# CIS Benchmark Adjustments
|
||||
# See: https://github.com/alanorth/securekickstarts
|
||||
kernel.randomize_va_space = 2
|
||||
net.ipv4.ip_forward = 0
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.all.secure_redirects = 0
|
||||
net.ipv4.conf.default.secure_redirects = 0
|
||||
net.ipv4.conf.all.log_martians = 1
|
||||
net.ipv4.conf.default.log_martians = 1
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
|
||||
# TCP stuff
|
||||
# See: http://fasterdata.es.net/host-tuning/linux/
|
||||
# increase TCP max buffer size settable using setsockopt()
|
||||
net.core.rmem_max = 16777216
|
||||
net.core.wmem_max = 16777216
|
||||
# increase Linux autotuning TCP buffer limit
|
||||
net.ipv4.tcp_rmem = 4096 87380 16777216
|
||||
net.ipv4.tcp_wmem = 4096 65536 16777216
|
||||
# increase the length of the processor input queue
|
||||
net.core.netdev_max_backlog = 30000
|
||||
{# kernels after 2.6.32 don't have buggy cubic #}
|
||||
{% if ansible_kernel < "2.6.33" %}
|
||||
# recommended default congestion control is htcp
|
||||
net.ipv4.tcp_congestion_control=htcp
|
||||
{% endif %}
|
||||
# recommended for hosts with jumbo frames enabled
|
||||
#net.ipv4.tcp_mtu_probing=1
|
||||
|
||||
{# disable iptables on bridge interfaces on VM hosts #}
|
||||
{% if ansible_virtualization_role == "host" %}
|
||||
net.bridge.bridge-nf-call-ip6tables = 0
|
||||
net.bridge.bridge-nf-call-iptables = 0
|
||||
net.bridge.bridge-nf-call-arptables = 0
|
||||
{% endif %}
|
||||
|
||||
{% if 'web' in group_names %}
|
||||
# increase quadruplets (src ip, src port, dest ip, dest port)
|
||||
# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
|
||||
net.ipv4.ip_local_port_range = 10240 65535
|
||||
# recommended for web servers, especially if running SPDY
|
||||
# see: http://www.chromium.org/spdy/spdy-best-practices
|
||||
net.ipv4.tcp_slow_start_after_idle = 0
|
||||
{% endif %}
|
||||
Loading…
Reference in New Issue