Scumtron/99-sysctl.conf

## 99-sysctl.conf
# Kernel sysctl configuration file for Linux
# Version 1.11 - 2015-07-07
# Aysad Kozanoglu Aysad K.
# This file should be saved as /etc/sysctl.conf and can be activated using the command:
# sysctl -e -p /etc/sysctl.conf
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
#
# Tested with: Ubuntu 14.04 LTS kernel version 3.13
# Debian 7 kernel version 3.2
# CentOS 7 kernel version 3.10

#
# Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available
# Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates

# Credits:

# http://klaver.it/linux/
# http://www.enigma.id.au/linux_tuning.txt
# http://www.securityfocus.com/infocus/1729
# http://fasterdata.es.net/TCP-tuning/linux.html
# http://fedorahosted.org/ktune/browser/sysctl.ktune
# http://www.cymru.com/Documents/ip-stack-tuning.html
# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
# http://knol.google.com/k/linux-performance-tuning-and-measurement
# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
# http://www.redbooks.ibm.com/abstracts/REDP4285.html
# http://www.speedguide.net/read_articles.php?id=121
# http://lartc.org/howto/lartc.kernel.obscure.html
# http://en.wikipedia.org/wiki/Sysctl


###
### GENERAL SYSTEM SECURITY OPTIONS ###
###

# Auto-reboot linux 30 seconds after a kernel panic
kernel.panic = 30
kernel.panic_on_oops = 30

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

#Allow for more PIDs
kernel.pid_max = 65536

# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
#kernel.maps_protect = 1

#Enable ExecShield protection
#kernel.exec-shield = 1
kernel.randomize_va_space = 2

# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536

# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536

# Restrict core dumps
fs.suid_dumpable = 0

# Hide exposed kernel pointers
#kernel.kptr_restrict = 1


###
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
###

# Increase size of file handles and inode cache
fs.file-max = 2097152

# Do less swapping
vm.swappiness = 10
vm.dirty_ratio = 40
vm.dirty_background_ratio = 2
vm.vfs_cache_pressure = 50

# specifies the minimum virtual address that a process is allowed to mmap
vm.mmap_min_addr = 4096

# No overcommitment of available memory
vm.overcommit_ratio = 0
vm.overcommit_memory = 0

# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
kernel.shmall = 268435456

# Keep at least 64MB of free RAM space available
vm.min_free_kbytes = 65536


###
### GENERAL NETWORK SECURITY OPTIONS ###
###

#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096

# Disables packet forwarding
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0

# Disables IP source routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 7

# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15

# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0

# Don't proxy arp for anyone
net.ipv4.conf.all.proxy_arp = 0

# Turn on SACK
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1

# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
net.ipv4.tcp_timestamps = 1

# Don't ignore directed pings
net.ipv4.icmp_echo_ignore_all = 0

# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65535

# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1


###
### TUNING NETWORK PERFORMANCE ###
###

# For high-bandwidth low-latency networks, use 'htcp' congestion control
# Do a 'modprobe tcp_htcp' first
net.ipv4.tcp_congestion_control = htcp

# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
#net.core.default_qdisc = fq

# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1

# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144

# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 131072
net.core.rmem_max = 16777216

# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 131072
net.core.wmem_max = 16777216

# Increase number of incoming connections
net.core.somaxconn = 32768

# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 16384
net.core.dev_weight = 64

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65536

# Increase the maximum number of skb-heads to be cached
#net.core.hot_list_length = 1024

# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000

# try to reuse time-wait connections, but don't recycle them (can break clients behind NAT)
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0

# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 262144
net.ipv4.ipfrag_low_thresh = 196608

# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1

# Increase RPC slots
#sunrpc.tcp_slot_table_entries = 32
#sunrpc.udp_slot_table_entries = 32

# Increase size of RPC datagram queue length
net.unix.max_dgram_qlen = 50

# Don't allow the arp table to become bigger than this
net.ipv4.neigh.default.gc_thresh3 = 2048

# Tell the gc when to become aggressive with arp table cleaning.
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
net.ipv4.neigh.default.gc_thresh2 = 1024

# Adjust where the gc will leave arp table alone - set to 32.
net.ipv4.neigh.default.gc_thresh1 = 32

# Adjust to arp table gc to clean-up more often
net.ipv4.neigh.default.gc_interval = 30

# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6

# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3

# How many times to retry killing an alive TCP connection
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3

# Avoid falling back to slow start after a connection goes idle
# keeps our cwnd large with the keep alive connections (kernel > 3.6)
net.ipv4.tcp_slow_start_after_idle = 0

# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
#net.ipv4.tcp_fastopen = 3

# This will enusre that immediatly subsequent connections use the new values
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1
	# Kernel sysctl configuration file for Linux
	# Version 1.11 - 2015-07-07
	# Aysad Kozanoglu Aysad K.
	# This file should be saved as /etc/sysctl.conf and can be activated using the command:
	# sysctl -e -p /etc/sysctl.conf
	#
	# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
	#
	# Tested with: Ubuntu 14.04 LTS kernel version 3.13
	# Debian 7 kernel version 3.2
	# CentOS 7 kernel version 3.10

	#
	# Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available
	# Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates

	# Credits:

	# http://klaver.it/linux/
	# http://www.enigma.id.au/linux_tuning.txt
	# http://www.securityfocus.com/infocus/1729
	# http://fasterdata.es.net/TCP-tuning/linux.html
	# http://fedorahosted.org/ktune/browser/sysctl.ktune
	# http://www.cymru.com/Documents/ip-stack-tuning.html
	# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
	# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
	# http://knol.google.com/k/linux-performance-tuning-and-measurement
	# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
	# http://www.redbooks.ibm.com/abstracts/REDP4285.html
	# http://www.speedguide.net/read_articles.php?id=121
	# http://lartc.org/howto/lartc.kernel.obscure.html
	# http://en.wikipedia.org/wiki/Sysctl



	###
	### GENERAL SYSTEM SECURITY OPTIONS ###
	###

	# Auto-reboot linux 30 seconds after a kernel panic
	kernel.panic = 30
	kernel.panic_on_oops = 30

	# Controls the System Request debugging functionality of the kernel
	kernel.sysrq = 0

	# Controls whether core dumps will append the PID to the core filename.
	# Useful for debugging multi-threaded applications.
	kernel.core_uses_pid = 1

	#Allow for more PIDs
	kernel.pid_max = 65536

	# The contents of /proc/<pid>/maps and smaps files are only visible to
	# readers that are allowed to ptrace() the process
	#kernel.maps_protect = 1

	#Enable ExecShield protection
	#kernel.exec-shield = 1
	kernel.randomize_va_space = 2

	# Controls the maximum size of a message, in bytes
	kernel.msgmnb = 65536

	# Controls the default maxmimum size of a mesage queue
	kernel.msgmax = 65536

	# Restrict core dumps
	fs.suid_dumpable = 0

	# Hide exposed kernel pointers
	#kernel.kptr_restrict = 1



	###
	### IMPROVE SYSTEM MEMORY MANAGEMENT ###
	###

	# Increase size of file handles and inode cache
	fs.file-max = 2097152

	# Do less swapping
	vm.swappiness = 10
	vm.dirty_ratio = 40
	vm.dirty_background_ratio = 2
	vm.vfs_cache_pressure = 50

	# specifies the minimum virtual address that a process is allowed to mmap
	vm.mmap_min_addr = 4096

	# No overcommitment of available memory
	vm.overcommit_ratio = 0
	vm.overcommit_memory = 0

	# Set maximum amount of memory allocated to shm to 256MB
	kernel.shmmax = 268435456
	kernel.shmall = 268435456

	# Keep at least 64MB of free RAM space available
	vm.min_free_kbytes = 65536



	###
	### GENERAL NETWORK SECURITY OPTIONS ###
	###

	#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_syn_retries = 2
	net.ipv4.tcp_synack_retries = 2
	net.ipv4.tcp_max_syn_backlog = 4096

	# Disables packet forwarding
	net.ipv4.ip_forward = 0
	net.ipv4.conf.all.forwarding = 0
	net.ipv4.conf.default.forwarding = 0
	net.ipv6.conf.all.forwarding = 0
	net.ipv6.conf.default.forwarding = 0

	# Disables IP source routing
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv6.conf.all.accept_source_route = 0
	net.ipv6.conf.default.accept_source_route = 0

	# Enable IP spoofing protection, turn on source route verification
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1

	# Disable ICMP Redirect Acceptance
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.secure_redirects = 0
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv6.conf.default.accept_redirects = 0

	# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.conf.default.log_martians = 1

	# Decrease the time default value for tcp_fin_timeout connection
	net.ipv4.tcp_fin_timeout = 7

	# Decrease the time default value for connections to keep alive
	net.ipv4.tcp_keepalive_time = 300
	net.ipv4.tcp_keepalive_probes = 5
	net.ipv4.tcp_keepalive_intvl = 15

	# Don't relay bootp
	net.ipv4.conf.all.bootp_relay = 0

	# Don't proxy arp for anyone
	net.ipv4.conf.all.proxy_arp = 0

	# Turn on SACK
	net.ipv4.tcp_dsack = 1
	net.ipv4.tcp_sack = 1
	net.ipv4.tcp_fack = 1

	# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
	net.ipv4.tcp_timestamps = 1

	# Don't ignore directed pings
	net.ipv4.icmp_echo_ignore_all = 0

	# Enable ignoring broadcasts request
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Enable bad error message Protection
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Allowed local port range
	net.ipv4.ip_local_port_range = 16384 65535

	# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
	net.ipv4.tcp_rfc1337 = 1



	###
	### TUNING NETWORK PERFORMANCE ###
	###

	# For high-bandwidth low-latency networks, use 'htcp' congestion control
	# Do a 'modprobe tcp_htcp' first
	net.ipv4.tcp_congestion_control = htcp

	# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
	#net.core.default_qdisc = fq

	# Turn on the tcp_window_scaling
	net.ipv4.tcp_window_scaling = 1

	# Increase the maximum total buffer-space allocatable
	# This is measured in units of pages (4096 bytes)
	net.ipv4.tcp_mem = 65536 131072 262144
	net.ipv4.udp_mem = 65536 131072 262144

	# Increase the read-buffer space allocatable
	net.ipv4.tcp_rmem = 8192 87380 16777216
	net.ipv4.udp_rmem_min = 16384
	net.core.rmem_default = 131072
	net.core.rmem_max = 16777216

	# Increase the write-buffer-space allocatable
	net.ipv4.tcp_wmem = 8192 65536 16777216
	net.ipv4.udp_wmem_min = 16384
	net.core.wmem_default = 131072
	net.core.wmem_max = 16777216

	# Increase number of incoming connections
	net.core.somaxconn = 32768

	# Increase number of incoming connections backlog
	net.core.netdev_max_backlog = 16384
	net.core.dev_weight = 64

	# Increase the maximum amount of option memory buffers
	net.core.optmem_max = 65536

	# Increase the maximum number of skb-heads to be cached
	#net.core.hot_list_length = 1024

	# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
	net.ipv4.tcp_max_tw_buckets = 1440000

	# try to reuse time-wait connections, but don't recycle them (can break clients behind NAT)
	net.ipv4.tcp_tw_recycle = 1
	net.ipv4.tcp_tw_reuse = 1

	# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
	net.ipv4.tcp_max_orphans = 16384
	net.ipv4.tcp_orphan_retries = 0

	# Increase the maximum memory used to reassemble IP fragments
	net.ipv4.ipfrag_high_thresh = 262144
	net.ipv4.ipfrag_low_thresh = 196608

	# don't cache ssthresh from previous connection
	net.ipv4.tcp_no_metrics_save = 1
	net.ipv4.tcp_moderate_rcvbuf = 1

	# Increase RPC slots
	#sunrpc.tcp_slot_table_entries = 32
	#sunrpc.udp_slot_table_entries = 32

	# Increase size of RPC datagram queue length
	net.unix.max_dgram_qlen = 50

	# Don't allow the arp table to become bigger than this
	net.ipv4.neigh.default.gc_thresh3 = 2048

	# Tell the gc when to become aggressive with arp table cleaning.
	# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
	net.ipv4.neigh.default.gc_thresh2 = 1024

	# Adjust where the gc will leave arp table alone - set to 32.
	net.ipv4.neigh.default.gc_thresh1 = 32

	# Adjust to arp table gc to clean-up more often
	net.ipv4.neigh.default.gc_interval = 30

	# Increase TCP queue length
	net.ipv4.neigh.default.proxy_qlen = 96
	net.ipv4.neigh.default.unres_qlen = 6

	# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
	net.ipv4.tcp_ecn = 1
	net.ipv4.tcp_reordering = 3

	# How many times to retry killing an alive TCP connection
	net.ipv4.tcp_retries2 = 15
	net.ipv4.tcp_retries1 = 3

	# Avoid falling back to slow start after a connection goes idle
	# keeps our cwnd large with the keep alive connections (kernel > 3.6)
	net.ipv4.tcp_slow_start_after_idle = 0

	# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
	#net.ipv4.tcp_fastopen = 3

	# This will enusre that immediatly subsequent connections use the new values
	net.ipv4.route.flush = 1
	net.ipv6.route.flush = 1