# Reboot the machine soon after a kernel panic
kernel.panic=10

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

# Protects against creating or following links under certain conditions
fs.protected_hardlinks=1
fs.protected_symlinks=1

#Enable ExecShield protection
#Set value to 1 or 2 (recommended) 
kernel.exec-shield = 2
kernel.randomize_va_space=2

# increase system file descriptor limit    
fs.file-max = 65535

#Allow for more PIDs 
kernel.pid_max = 65536

#Disable zone reclaim
vm.zone_reclaim_mode = 0

#Reduce swap usage
vm.swappiness = 10

###############################################
########## IPv4 networking start ##############
###############################################

# Send redirects, if router, but this is just server
# So no routing allowed 
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0

# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1

#Ignore bad ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses=1

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# TCP window scaling tries to avoid saturating the network adapter with
# incoming packets.
net.ipv4.tcp_window_scaling = 1

# If enabled, assume that no receipt of a window-scaling option means that the
# remote TCP is broken and treats the window as a signed quantity.  If
# disabled, assume that the remote TCP is not broken even if we do not receive
# a window scaling option from it.
net.ipv4.tcp_workaround_signed_windows = 1

# TCP SACK and FACK refer to options found in RFC 2018 and are also documented
# back to Linux Kernel 2.6.17 with an experimental "TCP-Peach" set of
# functions. These are meant to get you your data without excessive losses.
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1

# The latency setting is 1 if you prefer more packets vs bandwidth, or 0 if you
# prefer bandwidth. More packets are ideal for things like Remote Desktop and
# VOIP: less for bulk downloading.
#net.ipv4.tcp_low_latency = 0

# I found RFC 2923, which is a good review of PMTU. IPv6 uses PMTU by default
# to avoid segmenting packets at the router level, but its optional for
# IPv4. PMTU is meant to inform routers of the best packet sizes to use between
# links, but its a common admin practice to block ICMP ports that allow
# pinging, thus breaking this mechanism. Linux tries to use it, and so do I: if
# you have problems, you have a problem router, and can change the "no" setting
# to 1. "MTU probing" is also a part of this: 1 means try, and 0 means don't.
#net.ipv4.ip_no_pmtu_disc = 0
#net.ipv4.tcp_mtu_probing = 1

# FRTO is a mechanism in newer Linux kernels to optimize for wireless hosts:
# use it if you have them; delete the setting, or set to 0, if you don't.
#net.ipv4.tcp_frto = 2
#net.ipv4.tcp_frto_response = 2

# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1

#Increase system IP port limits
net.ipv4.ip_local_port_range = 15000 65000

# Disable TCP slow start on idle connections
net.ipv4.tcp_slow_start_after_idle = 0

# Enable TCP/IP SYN cookies, see http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too.
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Enable source validation by reversed path, as specified in RFC1812, which
# turn on Source Address Verification in all interfaces to prevent some
# spoofing attacks.
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1 

# RFC 1337, TIME-WAIT Assassination Hazards in TCP, a fix written in 1992
# for some theoretically-possible failure modes for TCP connections. To this
# day this RFC still has people confused if it negatively impacts performance
# or not or is supported by any decent router. Murphy's Law is that the only
# router that it would even have trouble with, is most likely your own.
net.ipv4.tcp_rfc1337 = 1

###############################################
########## IPv6 networking start ##############
###############################################

# Uncomment the next line to enable packet forwarding for IPv6.  Enabling this
# option disables Stateless Address Autoconfiguration based on Router
# Advertisements for this host.
#net.ipv6.conf.all.forwarding = 0

# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0

# Accept packets with SRR option? No
net.ipv6.conf.all.accept_source_route = 0

# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0

# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0

# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0

#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0

#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0

# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.secure_redirects = 1

############################################
##### TCP Tuning ###########################
############################################

# Increase Linux autotuning TCP buffer limits
# Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
# Don't set tcp_mem itself! Let the kernel scale it based on RAM.
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
net.core.optmem_max = 40960
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216

# Make room for more TIME_WAIT sockets due to more clients,
# and allow them to be reused if we run out of sockets
# Also increase the max packet backlog
net.ipv4.tcp_max_syn_backlog = 30000
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_fin_timeout = 10
net.core.netdev_max_backlog = 60000
net.core.netdev_budget = 60000
net.core.netdev_budget_usecs = 6000

# If your servers talk UDP, also up these limits
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192

# Change Congestion Control Algorithm to BBR
net.core.default_qdisc=fq
net.ipv4.tcp_congestion_control=bbr