[FUG-BR] Recomendacoes Tuning/Security FreeBSD

Fabricio Lima listas em fabriciolima.com.br
Terça Agosto 1 16:24:36 BRT 2006 

Essa vai dedicada ao Cristopher... :)

/etc/rc.conf

ifconfig_lan0="inet x.x.x.x/24 media 100baseTX mediaopt full-duplex"
     # desative o autonegociacao de velocidade e force os parametros ethernet
log_in_vain="1"
icmp_bmcastecho="NO"
icmp_drop_redirect="YES"
tcp_keepalive="YES"
tcp_drop_synfin="YES"
tcp_extensions="YES" # RFC 1323 - TCP Extensions for High Performance
fsck_y_enable="YES"
check_quotas="NO"
kern_securelevel_enable="YES"
kern_securelevel="1"
clear_tmp_enable="YES"
virecover_enable="NO"
update_motd="NO"

/etc/sysctl.conf

security.bsd.see_other_uids=0
net.inet.ip.check_interface=1 # protection against spoof ip packets
net.inet.ip.random_id=1
net.inet.ip.fastforwarding=1
net.inet.ip.process_options=0
net.inet.icmp.maskrepl=0
net.inet.tcp.blackhole=2  # blackhole pings, traceroutes, etc.
net.inet.tcp.rfc3042=1 # Enhancing TCP's Loss Recovery Using Limited Transmit
net.inet.tcp.rfc3390=1 # Increasing TCP's Initial Window
net.inet.tcp.sack.enable=1
net.inet.tcp.delayed_ack=0
net.inet.tcp.keepidle=300000
net.inet.tcp.keepintvl=150
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
net.inet.udp.recvspace=65535
net.inet.udp.blackhole=1
net.inet.udp.maxdgram=57344
net.local.stream.recvspace=65535
net.local.stream.sendspace=65535
kern.fallback_elf_brand=3
kern.polling.enable=1 # network interface pooling instead interrupt request
kern.ipc.shm_use_phys=1 # kernel to lock shared memory into RAM
                       # and prevent it from being paged out to swap
kern.ipc.maxsockbuf=2097152 # Buffers de socket para novas conexoes
kern.ipc.somaxconn=8192
kern.maxfiles=65536
kern.maxfilesperproc=32768
vfs.vmiodirenable=1

/boot/loader.conf

autoboot_delay="2"
beastie_disable="YES"
kern.ipc.nmbclusters=1024
kern.ipc.maxsockets=1024
hw.ata.atapi_dma=1
kern.hz="1000"       # Set the kernel interval timer rate
kern.cam.scsi_delay="2000"   # Delay (in ms) before probing SCSI
kern.ipc.maxsockets="16424"
netgraph_load="YES"

/etc/make.conf

CFLAGS= -O2 -pipe -funroll-loops -ffast-math
CPUTYPE= i686
CPUTYPE= pentium2
COPTFLAGS= -O2 -pipe -funroll-loops -ffast-math

/usr/src/sys/i386/conf/MyKernel.conf

machine		i386
#cpu		I486_CPU  # desative 386 e 486
cpu		I586_CPU
cpu		I686_CPU
#options 	INET6			# IPv6 communications protocols
# Network Security & Tuning
options         IPSTEALTH # randomize IP ID to prevent server from being a 
mid-point for idlescan-style portscanning. Prevents cracker from determining 
the rate of packet generation
options         TCP_DROP_SYNFIN
options         ACCEPT_FILTER_DATA
options         ACCEPT_FILTER_HTTP
options         NMBCLUSTERS=65536  # maximum number of mbuf clusters
options         DEVICE_POLLING
options         HZ=1000

options 	SYSVMSG			# SYSV-style message queues
options  MSGMNB=16384    # max # of bytes in a queue
options  MSGMNI=40      # number of message queue identifiers
options  MSGSEG=2048     # number of message segments per queue
options  MSGSSZ=64      # size of a message segment
options  MSGTQL=2048    # max messages in system

options 	SYSVSHM			# SYSV-style shared memory
options  SHMMAXPGS=4096
options  SHMSEG=16     # max shared mem id's per process
options  SHMMNI=32      # max shared mem id's per system
options  SHMMAX=2097152 # max shared memory segment size (bytes)
options  SHMALL=4096    # max amount of shared memory (pages)

options 	SYSVSEM			# SYSV-style semaphores
options  SEMMNI=256
options  SEMMNS=512
options  SEMMNU=256
options  SEMMAP=256


Ufa... So isso.

Fabricio Lima

Mais detalhes sobre a lista de discussão freebsd