如何设置TCP/IP堆栈和虚拟内存的高级安全性选项，以提高基于Linux的系统的安全性和性能？
如何使用/etc/sysctl.conf配置Linux内核以防止某些类型的攻击？
如何设置Linux内核参数？

sysctl是允许您更改正在运行的Linux内核的接口。
使用/etc/sysctl.conf，您可以配置各种Linux网络和系统设置，例如：

• 限制网络传输的IPv4配置
• 限制IPv6的网络传输配置
• 开启execshield保护
• 防止常见的Syn Flood攻击
• 打开源IP地址验证
• 防止黑客对服务器的IP地址使用欺骗攻击。
• 记录几种类型的可疑数据包，例如欺骗性数据包，源路由数据包和重定向。

Linux内核/etc/sysctl.conf使用sysctl加强安全性

sysctl命令用于在运行时修改内核参数。

/etc/sysctl.conf是一个文本文件，其中包含要在引导时由sysct读取和设置的sysctl值。
要查看当前值，请执行：

# sysctl -a
# sysctl -A
# sysctl mib
# sysctl net.ipv4.conf.all.rp_filter
# sysctl -a --pattern 'net.ipv4.conf.(eth|wlan)0.arp'

要加载设置，请执行：

# sysctl -p

用于Linux服务器强化的示例/etc/sysctl.conf

编辑/etc/sysctl.conf或/etc/sysctl.d/99-custom.conf并进行如下更新。
该文件带有注释。
但是，我建议阅读官方的Linux内核sysctl调优帮助文件(如下所示)：

# The following is suitable for dedicated web server, mail, ftp server etc. 
# --------------------------------------
# BOOLEAN Values:
# a) 0 (zero) - disabled / no / false
# b) Non zero - enabled / yes / true
# -------------------------------------
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
 
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
 
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
 
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
 
# Controls the use of TCP syncookies
# Turn on SYN-flood protections
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 5
 
########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
# So no routing allowed 
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
 
# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0
 
# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
 
# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
 
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Prevent against the common 'syn flood attack'
net.ipv4.tcp_syncookies = 1
 
# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
 
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1 
 
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
 
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
 
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
 
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
 
#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
 
#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
 
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
 
########## IPv6 networking ends ##############
 
#Enable ExecShield protection
#Set value to 1 or 2 (recommended) 
#kernel.exec-shield = 2
#kernel.randomize_va_space=2
 
# TCP and memory optimization 
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608
 
# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1
 
# increase system file descriptor limit    
fs.file-max = 65535
 
#Allow for more PIDs 
kernel.pid_max = 65536
 
#Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
 
# RFC 1337 fix
net.ipv4.tcp_rfc1337=1

内核崩溃后不久重新启动计算机

kernel.panic=10

mmap基本，堆，堆栈和VDSO页面的地址是随机的

kernel.randomize_va_space=2

忽略严重的ICMP错误

net.ipv4.icmp_ignore_bogus_error_responses=1

防止在某些情况下创建或跟踪链接

fs.protected_hardlinks=1
fs.protected_symlinks=1