Skip to content

Instantly share code, notes, and snippets.

@jimmiehansson

jimmiehansson/sysctl.changed.conf

Forked from nogweii/sysctl.changed.conf
Created May 8, 2014 00:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jimmiehansson/1aaf78a194db48afa964 to your computer and use it in GitHub Desktop.
Save jimmiehansson/1aaf78a194db48afa964 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sysctl.changed.conf
fs.file-max = 65535
fs.inode-max = 32768
fs.suid_dumpable = 0
kernel.core_uses_pid = 1
kernel.exec-shield = 1
kernel.maps_protect = 1
kernel.msgmax = 65536
kernel.msgmnb = 65536
kernel.panic = 30
kernel.panic_on_oops = 30
kernel.pid_max = 65536
kernel.randomize_va_space = 1
kernel.shmall = 268435456
kernel.shmmax = 268435456
kernel.sysrq = 0
net.core.hot_list_length = 1024
net.core.netdev_max_backlog = 4096
net.core.optmem_max = 65536
net.core.rmem_default = 131072
net.core.rmem_max = 16777216
net.core.somaxconn = 32768
net.core.wmem_default = 131072
net.core.wmem_max = 16777216
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.eth0.log_martians = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.ip_forward = 0
net.ipv4.ip_local_port_range = 16384 65536
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
net.ipv4.ipfrag_time = 20
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.gc_thresh1 = 32
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh3 = 2048
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
net.ipv4.route.flush = 1
net.ipv4.tcp_abort_on_overflow = 0
net.ipv4.tcp_congestion_control = cubic
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 9
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_mem = 57344 57344 65536
net.ipv4.tcp_moderate_rcvbuf = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.tcp_sack = 0
net.ipv4.tcp_sack = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_synack_retries = 5
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 0
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_mem = 65536 131072 262144
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.route.flush = 1
net.unix.max_dgram_qlen = 50
sunrpc.tcp_slot_table_entries = 32
sunrpc.udp_slot_table_entries = 32
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
vm.buffermem = 90 10 60
vm.dirty_background_ratio = 2
vm.dirty_ratio = 60
vm.min_free_kbytes = 65536
vm.mmap_min_addr = 4096
vm.overcommit_memory = 0
vm.overcommit_ratio = 0
vm.swappiness = 10
Raw
sysctl.conf
# -- http://klaver.it/linux/sysctl.conf
# Kernel sysctl configuration file for Linux
#
# Version 1.9 - 2011-03-23
# Michiel Klaver - IT Professional
# http://klaver.it/linux/ for the latest version - http://klaver.it/bsd/ for a BSD variant
#
# This file should be saved as /etc/sysctl.conf and can be activated using the command:
# sysctl -e -p /etc/sysctl.conf
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
#
# Tested with: Debian 4 etchnhalf kernel version 2.6.24 default stock out-of-the-box
# Debian 5 kernel version 2.6.26 default stock out-of-the-box
# CentOS 5.4 kernel 2.6.18 default stock out-of-the-box
#
# Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available
# Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates
# DO NOT USE at busy networks or xDSL/Cable connections where packetloss can be expected
# ----------
# Credits:
# http://www.enigma.id.au/linux_tuning.txt
# http://www.securityfocus.com/infocus/1729
# http://fasterdata.es.net/TCP-tuning/linux.html
# http://fedorahosted.org/ktune/browser/sysctl.ktune
# http://www.cymru.com/Documents/ip-stack-tuning.html
# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
# http://knol.google.com/k/linux-performance-tuning-and-measurement
# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
# http://www.redbooks.ibm.com/abstracts/REDP4285.html
# http://www.speedguide.net/read_articles.php?id=121
# http://lartc.org/howto/lartc.kernel.obscure.html
# http://en.wikipedia.org/wiki/Sysctl
###
### GENERAL SYSTEM SECURITY OPTIONS ###
###
# Auto-reboot linux 30 seconds after a kernel panic
kernel.panic = 30
kernel.panic_on_oops = 30
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
#Allow for more PIDs
kernel.pid_max = 65536
# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
kernel.maps_protect = 1
#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
###
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
###
# Increase size of file handles and inode cache
fs.file-max = 209708
# Do less swapping
vm.swappiness = 10
vm.dirty_ratio = 60
vm.dirty_background_ratio = 2
# specifies the minimum virtual address that a process is allowed to mmap
vm.mmap_min_addr = 4096
# No overcommitment of available memory
vm.overcommit_ratio = 0
vm.overcommit_memory = 0
# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
kernel.shmall = 268435456
# Keep at least 64MB of free RAM space available
vm.min_free_kbytes = 65536
###
### GENERAL NETWORK SECURITY OPTIONS ###
###
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
# Disables packet forwarding
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
# Disables IP source routing
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0
# Don't proxy arp for anyone
net.ipv4.conf.all.proxy_arp = 0
# Turn on SACK
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1
# Don't ignore directed pings
net.ipv4.icmp_echo_ignore_all = 0
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1
###
### TUNING NETWORK PERFORMANCE ###
###
# Do a 'modprobe tcp_cubic' first
net.ipv4.tcp_congestion_control = cubic
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 131072
net.core.rmem_max = 16777216
# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 131072
net.core.wmem_max = 16777216
# Increase number of incoming connections
net.core.somaxconn = 32768
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 4096
net.core.dev_weight = 64
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65536
# Increase the maximum number of skb-heads to be cached
#net.core.hot_list_length = 1024
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
# Increase RPC slots
sunrpc.tcp_slot_table_entries = 32
sunrpc.udp_slot_table_entries = 32
# Increase size of RPC datagram queue length
net.unix.max_dgram_qlen = 50
# Don't allow the arp table to become bigger than this
net.ipv4.neigh.default.gc_thresh3 = 2048
# Tell the gc when to become aggressive with arp table cleaning.
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
net.ipv4.neigh.default.gc_thresh2 = 1024
# Adjust where the gc will leave arp table alone - set to 32.
net.ipv4.neigh.default.gc_thresh1 = 32
# Adjust to arp table gc to clean-up more often
net.ipv4.neigh.default.gc_interval = 30
# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_ecn = 2
net.ipv4.tcp_reordering = 3
# How many times to retry killing an alive TCP connection
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
# This will enusre that immediatly subsequent connections use the new values
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1
###
### Comments/suggestions/additions are welcome!
###
# -- http://wiki.docdroppers.org/index.php?title=Sysctl_Modifications
net.ipv4.ip_forward = 0
As listed, this will disable IP forwarding from this machine. This disables the ability of this machine to act as a router and forward traffic to other machines. Possible states for this option are 1 and 0.
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
This option attempts to verify packet source addresses using reverse patch. This option will require that packets with a particular outgoing source addresses also receive their replies on the same interface as they were sent out. Possible states for this option are 1 and 0. Note: this option has a detrimental effect on linux machines set up as a router that use advanced or policy routing, as it has a tendancy to drop packets.
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
This option tells the kernel to log the source address of all packets with no route back to the source address. Martian packets are seemingly "dropped in from Mars," because we have no idea where they came from, or how to get them back. Kernel default is off (0). Possible states are 1 and 0.
net.ipv4.icmp_echo_ignore_broadcasts = 1
This option instructs the kernel to ignore ICMP messages to broadcast or multicast addresses. Helps to prevent smurf attacks among other things, and is generally unneccessary unless you need to know how many hosts on your network are alive. Kernel default is off (0). Possible states are 1 and 0.
net.ipv4.icmp_ignore_bogus_error_responses = 1
This option ignores incorrectly constructed error messages. Basically, it saves space in your logs, since some routers don't send out proper error messages, and oh, hey look, we don't care. Kernel deafult is off (0). Possible states are 1 and 0.
fs.file-max = 8192
This option specifies the max number of file handles that can be opened at one time. Default setting is 4096.
fs.inode-max = 32768
This option specifies the max number of inodes that can be opened at one time. Default setting is 4096.
net.ipv4.ip_local_port_range = 32768 61000
This option defines the range of ports that we allow clients to connect on. The default value of this variable depends on how much RAM your machine has. If you have more than 1024 MB of RAM, this variable will default to a lower bound of 32768 and a higher bound of 61000. Also, see the option I added on "tcp_tw_recycle" below.
net.ipv4.tcp_tw_recycle = 0
This option is somewhat related to the previous option. This option has two possible states, 1 and 0. This option enables fast recycling of sockets in the TCP_WAIT state. This option will increase performance significantly, but can also have an adverse effect on stability It is generally (sometimes) fine to enable this on a local network, but is not advisable when possible network delays ( like those found on the internet) could exist. Possible states are 1 and 0.
net.ipv4.tcp_syncookies = 1
When the server SYN queue is overflowed, this option enables the kernel to send out SYN cookies to verify that the SYN packets it is recieving are legitimate. Note that this option may help performance, but is also a violation of the TCP protocol. Should not be used as a tuning mechanism for heavily loaded servers, instead see tcp_max_syn_backlog, tcp_synack_retries, and tcp_abort_on_overflow. I've included information for them below. Also note that the use of this option disables TCP window scaling. Note that the kernel must be compiled with CONFIG_SYN_COOKIES. Default value is 0. Possible states are 1 and 0.
net.ipv4.tcp_max_syn_backlog = 2048
This option defines the maximum socket queue size for TCP SYN requests. This can be used as an alternative to SYN cookies. Kernel defaults are 128 if you have less than less than 128 MB of RAM, and 1024 if you have more than 128 MB of RAM.
net.ipv4.tcp_synack_retries = 5
This option defines the maximum number of attempts that the kernel will make to establish a connected state on a TIME_WAIT connection. This option is useful for tuning against DoS attacks such as SYN flooding as an alternative to SYN cookies. Kernel default is 5, and each connection takes about 35 seconds, so the default timeout for half-open passive TCP connections is 180 seconds. Takes an integer value, but should be left at 5 or lower, unless there is a really good reason. Default is 5.
net.ipv4.tcp_syn_retries = 5
This option defines the maximum number of attempts that the kernel will make to establish a connected state on an _active_ TCP connection. Note that this is different than tcp_synack_retries in that this relates to connections that the kernel is making actively. Kernel default is 5, and each connection takes about 35 seconds, so the default timeout for active TCP connections is 180 seconds. Takes an integer value, but should be left at 5 or lower, unless there is a really good reason. Default is 5.
net.ipv4.tcp_abort_on_overflow = 0
This option instructs the kernel to send RST responses to incoming connections when the daemon is flooded with connect requests that the daemon cannot handle. If this is set to 0, the system will attempt to handle all requests. As recommended in the sysctl documentation, it is good to leave this as 0, unless absolutely neccessary, as it may affect your clients. It's a last-ditch option.
net.ipv4.tcp_fin_timeout = 10
This option tells the kernel how long to keep connections in the FIN-WAIT-2 state. If the remote end does not properly close its connection, then this option instructs the kernel to drop the connection in 10 seconds. Default is 60.
net.ipv4.tcp_keepalive_time = 1800
This option tells the kernel how long to wait before sending keepalive packets to TCP connections in a keepalive state. This setting is related to tcp_keepalive_probes, and tcp_keepalive_intvl, which are described below. Setting this to 1800 will make the kernel wait 30 minutes before sending any keepalive probes to determine if the connection is still valid. For a connection in keepalive state to be dropped, the kernel waits until tcp_keepalive_time (in our case, 60 seconds). Then, it sends up to tcp_keepalive_probes (default 9) to determine if the host is alive. The probes are sent at the rate defined in tcp_keepalive_intvl (default 75, or 75 every second). Default is 7200.
net.ipv4.tcp_keepalive_probes = 9
This option defines how many probes will be sent to a host after the keepalive timeout is reached. Default is 9.
net.ipv4.tcp_keepalive_intvl = 75
This option defines the interval (in seconds) between sending TCP keepalive probes. Default is 75.
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
Just a quick rundown of TCP windows. There is a lot here, so I didn't feel like commenting it. Default is on.
A "TCP window" is the maximum amount of outstanding data that a user can send on a particular connection, before it requires a response from the reciever acknowledging that the reviever has indeed received at least some of the data. The kernel will only send data up to the TCP window size limit before waiting for a response from the far end. The default TCP window is 32KB. This value is defined in /usr/src/linux/include/net/tcp.h, in the setting #define MAX_TCP_WINDOW 32767U. TCP buffers help to maximize efficiency of a connection. Having low TCP window sizes on a latent connection (like the internet) will decrease efficiency. TCP window scaling (tcp_window_scaling) enables TCP to use windows greater than 64KB. This works in conjunction with TCP's autotuning features. TCP has an autotuning feature which will attempt to determine the best window sizes for connections, automatically. Disabling the tcp_window_scaling feature disables TCP windows and autotuning. For more information see http://www.psc.edu/networking/projects/tcptune/, and the ip-sysctl documentation.
net.ipv4.tcp_timestamps = 0
This option instructs the kernel to disable TCP timestamps. Timestamps are used to calculate Round-Trip Time. With this option enabled (1), data packets are sent with timestamps, and returning ACK packets also carry timestamps. RTT can then be calculated by comparing the values. Timestamps are used by the PAWS (Protection Against Wrapped Sequences) algorithm to ensure that TCP sequence numbers are not wrapped before packets are delivered. Problems arise when packets are latent, and the TCP sequence numbers wrap before the latent packets are delivered. A DoS condition can exist in certain situations with this option enabled, as PAWS sometimes can be tricked into dropping valid packets. Also, leaving this enabled means it's just "one more thing" for the kernel to do. Default is 1. Possible values are 1 and 0.
net.ipv4.conf.all.accept_source_route
This option will disable source routing for this machine. If this machine isn't a router, you probably don't need source routing. Default is 1. Possible values are 1 and 0.
net.ipv4.conf.all.send_redirects = 0
This option instructs the kernel to NOT send ICMP redirect messages. Other related ICMP options are listed below. Possible values are 1 and 0.
net.ipv4.ipfrag_time = 20
This option tells the handler how long to keep an IP fragment in memory, 20 seconds in this case. Only fragments that can not yet be assembled are kept here, since fragments that can be assembled have already been moved.
net.ipv4.conf.all.accept_redirects = 0
Refuse to accept IP redirects We don't want someone telling us that there is a 'faster' or 'better' path, and potentially hijacking our connection. default is on (1).
net.ipv4.tcp_ecn = 0
don't use Explicit Congestion Notification in our packets. Some routers don't like it.
net.ipv4.tcp_rfc1337 = 1
This option requires compliance with RFC1337. Enabling this option will ignore RST packets that are sent to a connection in a TIME_WAIT state. Instead, the connection will wait for the connection to timeout like normal. I dunno what you guys comments on this is, I usually leave it on.
net.ipv4.conf.all.proxy_arp = 0
We don't really want to proxy ARP for anyone, do we? This option is turned off by default, but just to be safe...
net.ipv4.route.flush = 1
Disable autocaching of window sizes in the routing table.
# -- http://www.expertslogin.com/linux-administration/linux-sysctl-tuning/
# Disables packet forwarding
net.ipv4.ip_forward = 0
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 25
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 3600
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Turn on the tcp_sack
net.ipv4.tcp_sack = 1
# tcp_fack should be on because of sack
net.ipv4.tcp_fack = 1
# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Don’t Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
# Make more local ports available
net.ipv4.ip_local_port_range = 1024 65000
# Increase maximum amount of memory allocated to shm
kernel.shmmax = 1073741824
# Improve file system performance
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
# This will increase the amount of memory available for socket input/output queues
net.ipv4.tcp_rmem = 4096 25165824 25165824
net.core.rmem_max = 25165824
net.core.rmem_default = 25165824
net.ipv4.tcp_wmem = 4096 65536 25165824
net.core.wmem_max = 25165824
net.core.wmem_default = 65536
net.core.optmem_max = 25165824
# If you are feeling daring, you can also use these settings below, otherwise just remove them. (Should increase performance)
net.core.netdev_max_backlog = 2500
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
# -- https://wiki.archlinux.org/index.php/Sysctl
#
# Kernel sysctl configuration
#
# Disable packet forwarding
net.ipv4.ip_forward=0
# Disable the magic-sysrq key (console security issues)
kernel.sysrq = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
Warning: This may cause dropped frames with load-balancing and NATs, only use this for a server that communicates only over your local network.
# reuse/recycle time-wait sockets
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
#### ipv4 networking ####
## TCP SYN cookie protection
## helps protect against SYN flood attacks
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies = 1
## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1
## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_timestamps = 1
## source address verification (sanity checking)
## helps protect against spoofing attacks
net.ipv4.conf.all.rp_filter = 1
## disable ALL packet forwarding (not a router, disable it)
net.ipv4.ip_forward = 0
## log martian packets
net.ipv4.conf.all.log_martians = 1
## ignore echo broadcast requests to prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1
## optionally, ignore all echo requests
#net.ipv4.icmp_echo_ignore_all = 1
## ignore bogus icmp errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
## IP source routing (insecure, disable it)
net.ipv4.conf.all.accept_source_route = 0
## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0
## ICMP routing redirects (only secure)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
Small periodical system freezes
Set dirty bytes to small enough value (for example 4M)
vm.dirty_background_bytes = 4194304
vm.dirty_bytes = 4194304
Try to change kernel.io_delay_type (x86 only):
0 - IO_DELAY_TYPE_0X80
1 - IO_DELAY_TYPE_0XED
2 - IO_DELAY_TYPE_UDELAY
3 - IO_DELAY_TYPE_NONE
# -- http://www.ubuntu-unleashed.com/2008/04/howto-harden-ubuntu-linux-kernel-with.html
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
#Prevent SYN attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
# Disables packet forwarding
net.ipv4.ip_forward=0
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.lo.log_martians = 1
net.ipv4.conf.eth0.log_martians = 1
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disables the magic-sysrq key
kernel.sysrq = 0
# Modify system limits for Ensim WEBppliance
fs.file-max = 65000
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
# Improve file system performance
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
# Improve virtual memory performance
vm.buffermem = 90 10 60
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
# Increase the maximum total TCP buffer-space allocatable
net.ipv4.tcp_mem = 57344 57344 65536
# Increase the maximum TCP write-buffer-space allocatable
net.ipv4.tcp_wmem = 32768 65536 524288
# Increase the maximum TCP read-buffer space allocatable
net.ipv4.tcp_rmem = 98304 196608 1572864
# Increase the maximum and default receive socket buffer size
net.core.rmem_max = 524280
net.core.rmem_default = 524280
# Increase the maximum and default send socket buffer size
net.core.wmem_max = 524280
net.core.wmem_default = 524280
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536
# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 57344
# Increase the maximum number of skb-heads to be cached
net.core.hot_list_length = 1024
## DO NOT REMOVE THE FOLLOWING LINE!
## nsobuild:20051206
## Stack protection
kernel.exec-shield=1
kernel.randomize_va_space=1
# Disable suid binaries from core dumps
fs.suid_dumpable=0
## Run these to apply/flush the routing tables (to apply ARP protections)
## sysctl -p
## sysctl -w net.ipv4.route.flush=1
# -- http://www.couchbase.com/forums/thread/best-linux-kernel-parameters-sysctl-settings
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 1
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 0
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 30
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
# -- http://www.webhostingtalk.com/showthread.php?t=257654
# Disables packet forwarding
net.ipv4.ip_forward = 0
# Enables source route verification
net.ipv4.conf.default.rp_filter = 1
# Disables the magic-sysrq key
kernel.sysrq = 0
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 25
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 3600
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
# Turn on the tcp_sack
net.ipv4.tcp_sack = 1
# tcp_fack should be on because of sack
net.ipv4.tcp_fack = 1
# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Don't Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
# Make more local ports available
net.ipv4.ip_local_port_range = 1024 65000
# Increase maximum amount of memory allocated to shm
kernel.shmmax = 1073741824
# Improve file system performance
vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
# This will increase the amount of memory available for socket input/output queues
net.ipv4.tcp_rmem = 4096 25165824 25165824
net.core.rmem_max = 25165824
net.core.rmem_default = 25165824
net.ipv4.tcp_wmem = 4096 65536 25165824
net.core.wmem_max = 25165824
net.core.wmem_default = 65536
net.core.optmem_max = 25165824
# If you are feeling daring, you can also use these settings below, otherwise just remove them. (Should increase performance)
net.core.netdev_max_backlog = 2500
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
# -- http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
# The following is suitable for dedicated web server, mail, ftp server etc.
# ---------------------------------------
# BOOLEAN Values:
# a) 0 (zero) - disabled / no / false
# b) Non zero - enabled / yes / true
# --------------------------------------
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
#net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2
########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0
# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Prevent against the common 'syn flood attack'
net.ipv4.tcp_syncookies = 1
# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
########## IPv6 networking ends ##############
#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# TCP and memory optimization
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608
# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1
# increase system file descriptor limit
fs.file-max = 65535
#Allow for more PIDs
kernel.pid_max = 65536
#Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Information: http://www.linuxweblog.com/tuning-tcp-sysctlconf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment