linux kernel tunning - sysctl.conf

sysctl.conf

# Configuration file for runtime kernel parameters.
# See sysctl.conf(5) for more information.
 
# See also http://www.nateware.com/linux-network-tuning-for-2013.html for
# references:
#
# https://config.securix.org/config/securix-conf/etc/sysctl.conf
# https://github.com/minhdanh/Linux-Kernel-Tuning-and-Hardening/blob/master/kernel_hardening_tuning.sh
# https://gist.github.com/sokratisg/98d03e20fca76d4b699f
 
# Discourage Linux from swapping idle server processes to disk (default = 60)
vm.swappiness = 10 

# Tweak how the flow of kernel messages is throttled.
kernel.printk_ratelimit_burst = 10
kernel.printk_ratelimit = 5 

# Increase number of incoming connections that can queue up
# before dropping
net.core.somaxconn = 5000
 
# Handle SYN floods and large numbers of valid HTTPS connections
net.ipv4.tcp_max_syn_backlog = 3000

# Increase system file descriptor limit so we will (probably)
# never run out under lots of concurrent requests.
# (Per-process limit is set in /etc/security/limits.conf)
fs.file-max = 10000 

# Widen the port range used for outgoing connections
net.ipv4.ip_local_port_range = 10000 65000
 
# If your servers talk UDP, also up these limits
net.ipv4.udp_rmem_min = 8192
net.ipv4.udp_wmem_min = 8192 

#security related settings

# Disable source routing and redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
 
# Disable packet forwarding.
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Disable TCP slow start on idle connections
net.ipv4.tcp_slow_start_after_idle = 0 



# Increase Linux autotuning TCP buffer limits
# Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
# Don't set tcp_mem itself. Let the kernel scale it based on RAM.
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
net.core.optmem_max = 40960
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216  
net.core.netdev_max_backlog = 250000

# ------------------------
# Handle many connections
# ------------------------- 
# Disconnect dead TCP connections after 1 minute
net.ipv4.tcp_keepalive_time = 60

net.ipv4.tcp_sack = 0
net.ipv4.tcp_dsack = 0

# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0

# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1 
 
# Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
# any remaining packets in the network.
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 5
 
# Allow a high number of timewait sockets
net.ipv4.tcp_max_tw_buckets = 2000000
 
# Timeout broken connections faster (amount of time to wait for FIN)
net.ipv4.tcp_fin_timeout = 10 

# Let the networking stack reuse TIME_WAIT connections when it thinks it's safe to do so
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle=1
 
# Determines the wait time between isAlive interval probes (reduce from 75 sec to 15)
net.ipv4.tcp_keepalive_intvl = 15
 
# Determines the number of probes before timing out (reduce from 9 sec to 5 sec)
net.ipv4.tcp_keepalive_probes = 5

# By default, TCP saves various connection metrics in the route cache when the connection closes, so that connections established in the near future can use these to set initial conditions. Usually, this increases overall performance, but may sometimes cause performance degradation. If set, TCP will not cache metrics on closing connections.
net.ipv4.tcp_no_metrics_save = 1

# How many times to retry before killing an alive TCP connection
net.ipv4.tcp_retries2 = 5

# Sometimes, packet reordering in a network can be interpreted as packet loss and hence increasing the value of this parameter should improve performance (default is “3″)
net.ipv4.tcp_reordering = 15

# congestion control
net.ipv4.tcp_congestion_control = cubic
net.ipv4.tcp_available_congestion_control = cubic reno
net.ipv4.tcp_allowed_congestion_control = cubic reno

# ------------------------
# security related settings
# -------------------------

# Turn on execshield
# 0 completely disables ExecShield and Address Space Layout Randomization
# 1 enables them ONLY if the application bits for these protections are set to “enable”
# 2 enables them by default, except if the application bits are set to “disable”
# 3 enables them always, whatever the application bits

kernel.exec-shield = 2
kernel.randomize_va_space = 2 


# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Protection from SYN flood attack.
net.ipv4.tcp_syncookies = 1

# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1 

# tune IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1