In this article I tried to explain with which parameter you can work with in the beginning. I tried all these setting in Ubuntu 10 and OpenSuse 11.3 system.
Whatever distro you are using use at your own risk. Do not apply these into your production server without checking in a testing environment first.
You need to be root to apply any sysctl settings.
To implement the following settings open /etc/sysctl.conf with your favorite text editor and paste.
Then after closing and saving the page use the following command
# sysctl -p
With this command the settings will be effective immediately in the system.
-------------------------------------start of sysctl.conf-------------------------------------
#-------------
# Performance |
#-------------
#Increase the maximum number of open files or increase system file descriptor limit
fs.file-max = 100000
#If you have 512MB RAM or more
kernel.sem = 250 32000 100 128
kernel.shmall = 2097152
kernel.shmmax = 2147483648
kernel.shmmni = 4096
fs.file-max = 65536
vm.swappiness = 0
vm.vfs_cache_pressure = 50
# Controls whether core dumps will append the PID to the core filename. Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Modify system limits for Ensim WEBppliance
fs.file-max = 65000
# Set maximum amount of memory allocated to shm to 1024MB
kernel.shmmax = 1073741824
# If you are feeling daring, you can also use these settings below, otherwise just remove them. (Should increase performance)
net.core.netdev_max_backlog = 2500
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
#---------
# Network |
#---------
# Enable/Disable TCP window scaling
net.ipv4.tcp_window_scaling = 1
# Disables packet forwarding
net.ipv4.ip_forward = 0
#This setting determines the time that must elapse before TCP/IP can release a closed connection and reuse its resources. During this TIME_WAIT state, reopening the connection to the client costs less than establishing a new connection. By reducing the value of this entry, TCP/IP can release closed connections faster, making more resources available for new connections. Addjust this in the presense of many connections sitting in the TIME_WAIT state:. Decrease the time default value for tcp_fin_timeout connection.
net.ipv4.tcp_fin_timeout = 20
#This determines the wait time between isAlive interval probes. To set:
net.ipv4.tcp_keepalive_intvl = 30
# This determines the number of probes before timing out. To set:
# Number of keep alive requests retransmitted before the connection is considered broken
net.ipv4.tcp_keepalive_probes = 5
#It enables fast recycling of TIME_WAIT sockets. The default value is 0 (disabled). The sysctl documentation incorrectly states the default as enabled. It can be changed to 1 (enabled) in many cases. Known to cause some issues with hoststated (load balancing and fail over) if enabled, should be used with caution.
net.ipv4.tcp_tw_recycle = 1
#This allows reusing sockets in TIME_WAIT state for new connections when it is safe from protocol viewpoint. Default value is 0 (disabled). It is generally a safer alternative to tcp_tw_recycle
net.ipv4.tcp_tw_reuse = 1
#Note: The tcp_tw_reuse setting is particularly useful in environments where numerous short connections are open and left in TIME_WAIT state, such as web servers. Reusing the sockets can be very effective in reducing server load.
# Decrease the time default value for tcp_keepalive_time connection. Time of connection inactivity after which the first keep alive request is sent
net.ipv4.tcp_keepalive_time = 3600
#Increasing the TCP send and receive buffers will increase the performance a lot if (and only if) you have a lot of large files to send.
net.ipv4.tcp_wmem = 4096 65536 524288
net.core.wmem_max = 1048576
net.core.wmem_default = 1048576
# If you have a lot of large file uploads, increasing the receive buffers will help.
net.ipv4.tcp_rmem = 4096 87380 524288
net.core.rmem_max = 1048576
net.core.rmem_default = 1048576
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# tcp_fack should be on because of sack
net.ipv4.tcp_fack = 1
# Turn on/off TCP time stamps
net.ipv4.tcp_timestamps = 1
# TCP-time-wait buckets pool size from 180000 to 360000
net.ipv4.tcp_max_tw_buckets = 360000
# Allowed local port range or Increase system IP port limits. If your Linux server is opening lots of outgoing network connection, you need to increase local port range. By default range is small. For example squid proxy server can come under fire if it runs out of ports.
net.ipv4.ip_local_port_range = 1024 65536
# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 57344
#----------
# Security |
#----------
# If you want to Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# Uncomment the next lines to enable Spoof protection (reverse-path filter). Turn on Source Address Verification in all interfaces to prevent some spoofing attacks.
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets. Log packets with impossible addresses to kernel log.
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1
# Send redirects, if router i.e. for server set it to 0, for router 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Disable IP source routing or Accept packets with SRR option. Set it to 1 in case of a router.
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Disable ICMP redirects (prevent MITM attacks) i.e. for server set it to 0, for router 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# or
# Accept ICMP redirects only for gateways listed in our default gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
# Enable bad error message Protection. Ignore bogus ICMP errors.
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable ignoring broadcasts request or Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast. Ignore ICMP broadcasts.
net.ipv4.icmp_echo_ignore_broadcasts = 1
-------------------------------------end of sysctl.conf------------------------------------- Reference
HOW-TO: Tune Settings In sysctl.conf
Performance tuning with System Control (sysctl) in Ubuntu
Frank Mash – Sysctl kernel optimization
Howto: Harden the Ubuntu Linux Kernel with sysctl
Linux Kernel Security Hardening
No comments:
Post a Comment