Bash
sysctl.conf DDoS Firewall
Hier eine ausführliche sysctl.conf Konfiguration, die eine grundlegende Firewall-Konfiguration enthält und Schutzmaßnahmen gegen DDoS-Angriffe bietet. Diese Konfiguration optimiert verschiedene Netzwerkparameter, um sowohl die Systemstabilität als auch den Schutz gegen gängige Angriffsarten zu erhöhen.
# ----------- Kernel Networking Tunings for Security and DDoS Protection -----------
# Enable IP spoofing protection (Source address verification)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable IP source routing (Protection against IP spoofing)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Disable ICMP redirects (mitigate MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable sending ICMP redirects (defensive measure)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Enable TCP SYN Cookie Protection to mitigate SYN flood attacks
net.ipv4.tcp_syncookies = 1
# Enable log of martians (illegal or spoofed packets)
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Ignore ICMP broadcast requests (Smurf attack protection)
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore ICMP echo requests to avoid being part of large scale DDoS attacks
net.ipv4.icmp_echo_ignore_all = 0
# Enable protection from large number of open connections (SYN flooding protection)
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# Reduce time-wait socket handling (to prevent resource exhaustion)
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
# Increase maximum socket backlog to handle more connections
net.core.somaxconn = 1024
net.core.netdev_max_backlog = 5000
# Increase the range of ephemeral ports (needed for handling large numbers of connections)
net.ipv4.ip_local_port_range = 1024 65535
# Increase the maximum number of packets that can be queued on the input side
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# Limit the rate of incoming ICMP error messages (mitigates ICMP flooding)
net.ipv4.icmp_ratelimit = 100
net.ipv4.icmp_ratemask = 88089
# Restrict the rate of SYN packets to mitigate SYN flooding
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
# Drop connections from bogus TCP packets (with invalid window size)
net.ipv4.tcp_invalid_ratelimit = 500
# Disable IPv6 router advertisements (can be used to launch certain attacks)
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
# Enable TCP Timestamps to prevent replay attacks
net.ipv4.tcp_timestamps = 1
# ----------- DDoS Protection Through Network Parameters -----------
# Enable protection from flooding (accept only a limited number of packets per second)
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# Protect against SYN floods by dropping excessive connections
net.ipv4.tcp_abort_on_overflow = 1
# Drop spoofed packets, redirects and other malicious packets
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Limit the number of incoming connections per IP address
net.ipv4.tcp_max_orphans = 65536
# Drop packets with suspicious source routing info (security measure)
net.ipv4.conf.all.accept_source_route = 0
# Enable reverse path filtering (mitigates IP spoofing)
net.ipv4.conf.all.rp_filter = 1
# Disable IP forwarding (optional for non-router setups)
net.ipv4.ip_forward = 0
# Enable strict mode reverse path filtering (for better security)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable SYN cookie protection (reduces impact of SYN flood attacks)
net.ipv4.tcp_syncookies = 1
# Enable tcp_window_scaling to handle high bandwidth TCP connections
net.ipv4.tcp_window_scaling = 1
# Increase the queue size for SYN backlog to handle large volumes of traffic
net.ipv4.tcp_max_syn_backlog = 4096
# Drop packets with invalid TCP flags
net.ipv4.tcp_rfc1337 = 1
# Reduce the impact of TIME_WAIT sockets during high traffic
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
# Drop packets in case of TCP SYN flood
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 3
# Enable early retransmit to reduce latency in packet losses
net.ipv4.tcp_early_retrans = 1
# Enable fast open for improved TCP connection performance
net.ipv4.tcp_fastopen = 3
# Disable acceptance of ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disable ICMP routing redirect
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Enable IP spoofing protection (Source address verification)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable IP source routing (Protection against IP spoofing)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Disable ICMP redirects (mitigate MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable sending ICMP redirects (defensive measure)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Enable TCP SYN Cookie Protection to mitigate SYN flood attacks
net.ipv4.tcp_syncookies = 1
# Enable log of martians (illegal or spoofed packets)
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Ignore ICMP broadcast requests (Smurf attack protection)
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore ICMP echo requests to avoid being part of large scale DDoS attacks
net.ipv4.icmp_echo_ignore_all = 0
# Enable protection from large number of open connections (SYN flooding protection)
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# Reduce time-wait socket handling (to prevent resource exhaustion)
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
# Increase maximum socket backlog to handle more connections
net.core.somaxconn = 1024
net.core.netdev_max_backlog = 5000
# Increase the range of ephemeral ports (needed for handling large numbers of connections)
net.ipv4.ip_local_port_range = 1024 65535
# Increase the maximum number of packets that can be queued on the input side
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# Limit the rate of incoming ICMP error messages (mitigates ICMP flooding)
net.ipv4.icmp_ratelimit = 100
net.ipv4.icmp_ratemask = 88089
# Restrict the rate of SYN packets to mitigate SYN flooding
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
# Drop connections from bogus TCP packets (with invalid window size)
net.ipv4.tcp_invalid_ratelimit = 500
# Disable IPv6 router advertisements (can be used to launch certain attacks)
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
# Enable TCP Timestamps to prevent replay attacks
net.ipv4.tcp_timestamps = 1
# ----------- DDoS Protection Through Network Parameters -----------
# Enable protection from flooding (accept only a limited number of packets per second)
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# Protect against SYN floods by dropping excessive connections
net.ipv4.tcp_abort_on_overflow = 1
# Drop spoofed packets, redirects and other malicious packets
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Limit the number of incoming connections per IP address
net.ipv4.tcp_max_orphans = 65536
# Drop packets with suspicious source routing info (security measure)
net.ipv4.conf.all.accept_source_route = 0
# Enable reverse path filtering (mitigates IP spoofing)
net.ipv4.conf.all.rp_filter = 1
# Disable IP forwarding (optional for non-router setups)
net.ipv4.ip_forward = 0
# Enable strict mode reverse path filtering (for better security)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable SYN cookie protection (reduces impact of SYN flood attacks)
net.ipv4.tcp_syncookies = 1
# Enable tcp_window_scaling to handle high bandwidth TCP connections
net.ipv4.tcp_window_scaling = 1
# Increase the queue size for SYN backlog to handle large volumes of traffic
net.ipv4.tcp_max_syn_backlog = 4096
# Drop packets with invalid TCP flags
net.ipv4.tcp_rfc1337 = 1
# Reduce the impact of TIME_WAIT sockets during high traffic
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
# Drop packets in case of TCP SYN flood
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_syn_retries = 3
net.ipv4.tcp_synack_retries = 3
# Enable early retransmit to reduce latency in packet losses
net.ipv4.tcp_early_retrans = 1
# Enable fast open for improved TCP connection performance
net.ipv4.tcp_fastopen = 3
# Disable acceptance of ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disable ICMP routing redirect
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
euer KOAZ ..