TEXT 23
Sysctl.conf Guest on 2nd August 2020 02:55:29 AM
  1. # Kernel sysctl configuration file for Linux
  2. #
  3. # Version 1.14 - 2019-04-05
  4. # Michiel Klaver - IT Professional
  5. # http://klaver.it/linux/ for the latest version - http://klaver.it/bsd/ for a BSD variant
  6. #
  7. # This file should be saved as /etc/sysctl.conf and can be activated using the command:
  8. # sysctl -e -p /etc/sysctl.conf
  9. #
  10. # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and sysctl.conf(5) for more details.
  11. #
  12. # Tested with: Ubuntu 14.04 LTS kernel version 3.13
  13. #              Debian 7 kernel version 3.2
  14. #              CentOS 7 kernel version 3.10
  15.  
  16. #
  17. # Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available
  18. # Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates
  19. # DO NOT USE at busy networks or xDSL/Cable connections where packetloss can be expected
  20. # ----------
  21.  
  22. # Credits:
  23. # http://www.enigma.id.au/linux_tuning.txt
  24. # http://www.securityfocus.com/infocus/1729
  25. # http://fasterdata.es.net/TCP-tuning/linux.html
  26. # http://fedorahosted.org/ktune/browser/sysctl.ktune
  27. # http://www.cymru.com/Documents/ip-stack-tuning.html
  28. # http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
  29. # http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
  30. # http://knol.google.com/k/linux-performance-tuning-and-measurement
  31. # http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
  32. # http://www.redbooks.ibm.com/abstracts/REDP4285.html
  33. # http://www.speedguide.net/read_articles.php?id=121
  34. # http://lartc.org/howto/lartc.kernel.obscure.html
  35. # http://en.wikipedia.org/wiki/Sysctl
  36. # https://blog.cloudflare.com/http-2-prioritization-with-nginx/
  37.  
  38.  
  39.  
  40. ###
  41. ### GENERAL SYSTEM SECURITY OPTIONS ###
  42. ###
  43.  
  44. # Controls the System Request debugging functionality of the kernel
  45. kernel.sysrq = 0
  46.  
  47. # Controls whether core dumps will append the PID to the core filename.
  48. # Useful for debugging multi-threaded applications.
  49. kernel.core_uses_pid = 1
  50.  
  51. #Allow for more PIDs
  52. kernel.pid_max = 65535
  53.  
  54. # The contents of /proc/<pid>/maps and smaps files are only visible to
  55. # readers that are allowed to ptrace() the process
  56. kernel.maps_protect = 1
  57.  
  58. #Enable ExecShield protection
  59. kernel.exec-shield = 1
  60. kernel.randomize_va_space = 2
  61.  
  62. # Controls the maximum size of a message, in bytes
  63. kernel.msgmnb = 65535
  64.  
  65. # Controls the default maxmimum size of a mesage queue
  66. kernel.msgmax = 65535
  67.  
  68. # Restrict core dumps
  69. fs.suid_dumpable = 0
  70.  
  71. # Hide exposed kernel pointers
  72. kernel.kptr_restrict = 1
  73.  
  74.  
  75.  
  76. ###
  77. ### IMPROVE SYSTEM MEMORY MANAGEMENT ###
  78. ###
  79.  
  80. # Increase size of file handles and inode cache
  81. fs.file-max = 209708
  82.  
  83. # Do less swapping
  84. vm.swappiness = 30
  85. vm.dirty_ratio = 30
  86. vm.dirty_background_ratio = 5
  87.  
  88. # specifies the minimum virtual address that a process is allowed to mmap
  89. vm.mmap_min_addr = 4096
  90.  
  91. # 50% overcommitment of available memory
  92. vm.overcommit_ratio = 50
  93. vm.overcommit_memory = 0
  94.  
  95. # Set maximum amount of memory allocated to shm to 256MB
  96. kernel.shmmax = 268435456
  97. kernel.shmall = 268435456
  98.  
  99. # Keep at least 64MB of free RAM space available
  100. vm.min_free_kbytes = 65535
  101.  
  102.  
  103.  
  104. ###
  105. ### GENERAL NETWORK SECURITY OPTIONS ###
  106. ###
  107.  
  108. #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
  109. net.ipv4.tcp_syncookies = 1
  110. net.ipv4.tcp_syn_retries = 2
  111. net.ipv4.tcp_synack_retries = 2
  112. net.ipv4.tcp_max_syn_backlog = 4096
  113.  
  114. # Disables packet forwarding
  115. net.ipv4.ip_forward = 0
  116. net.ipv4.conf.all.forwarding = 0
  117. net.ipv4.conf.default.forwarding = 0
  118. net.ipv6.conf.all.forwarding = 0
  119. net.ipv6.conf.default.forwarding = 0
  120.  
  121. # Disables IP source routing
  122. net.ipv4.conf.all.send_redirects = 0
  123. net.ipv4.conf.default.send_redirects = 0
  124. net.ipv4.conf.all.accept_source_route = 0
  125. net.ipv4.conf.default.accept_source_route = 0
  126. net.ipv6.conf.all.accept_source_route = 0
  127. net.ipv6.conf.default.accept_source_route = 0
  128.  
  129. # Enable IP spoofing protection, turn on source route verification
  130. net.ipv4.conf.all.rp_filter = 1
  131. net.ipv4.conf.default.rp_filter = 1
  132.  
  133. # Disable ICMP Redirect Acceptance
  134. net.ipv4.conf.all.accept_redirects = 0
  135. net.ipv4.conf.default.accept_redirects = 0
  136. net.ipv4.conf.all.secure_redirects = 0
  137. net.ipv4.conf.default.secure_redirects = 0
  138. net.ipv6.conf.all.accept_redirects = 0
  139. net.ipv6.conf.default.accept_redirects = 0
  140.  
  141. # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
  142. net.ipv4.conf.all.log_martians = 1
  143. net.ipv4.conf.default.log_martians = 1
  144.  
  145. # Decrease the time default value for tcp_fin_timeout connection
  146. net.ipv4.tcp_fin_timeout = 7
  147.  
  148. # Decrease the time default value for connections to keep alive
  149. net.ipv4.tcp_keepalive_time = 300
  150. net.ipv4.tcp_keepalive_probes = 5
  151. net.ipv4.tcp_keepalive_intvl = 15
  152.  
  153. # Don't relay bootp
  154. net.ipv4.conf.all.bootp_relay = 0
  155.  
  156. # Don't proxy arp for anyone
  157. net.ipv4.conf.all.proxy_arp = 0
  158.  
  159. # Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
  160. net.ipv4.tcp_timestamps = 1
  161.  
  162. # Don't ignore directed pings
  163. net.ipv4.icmp_echo_ignore_all = 0
  164.  
  165. # Enable ignoring broadcasts request
  166. net.ipv4.icmp_echo_ignore_broadcasts = 1
  167.  
  168. # Enable bad error message Protection
  169. net.ipv4.icmp_ignore_bogus_error_responses = 1
  170.  
  171. # Allowed local port range
  172. net.ipv4.ip_local_port_range = 16384 65535
  173.  
  174. # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
  175. net.ipv4.tcp_rfc1337 = 1
  176.  
  177. # Do not auto-configure IPv6
  178. net.ipv6.conf.all.autoconf=0
  179. net.ipv6.conf.all.accept_ra=0
  180. net.ipv6.conf.default.autoconf=0
  181. net.ipv6.conf.default.accept_ra=0
  182. net.ipv6.conf.eth0.autoconf=0
  183. net.ipv6.conf.eth0.accept_ra=0
  184.  
  185.  
  186.  
  187. ###
  188. ### TUNING NETWORK PERFORMANCE ###
  189. ###
  190.  
  191. # Use BBR TCP congestion control and set tcp_notsent_lowat to 16384 to ensure HTTP/2 prioritization works optimally
  192. # Do a 'modprobe tcp_bbr' first (kernel > 4.9)
  193. # Fall-back to htcp if bbr is unavailable (older kernels)
  194. net.ipv4.tcp_congestion_control = htcp
  195. net.ipv4.tcp_congestion_control = bbr
  196. net.ipv4.tcp_notsent_lowat = 16384
  197.    
  198. # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
  199. net.core.default_qdisc = fq
  200.  
  201. # Turn on the tcp_window_scaling
  202. net.ipv4.tcp_window_scaling = 1
  203.  
  204. # Increase the read-buffer space allocatable
  205. net.ipv4.tcp_rmem = 8192 87380 16777216
  206. net.ipv4.udp_rmem_min = 16384
  207. net.core.rmem_default = 262144
  208. net.core.rmem_max = 16777216
  209.  
  210. # Increase the write-buffer-space allocatable
  211. net.ipv4.tcp_wmem = 8192 65536 16777216
  212. net.ipv4.udp_wmem_min = 16384
  213. net.core.wmem_default = 262144
  214. net.core.wmem_max = 16777216
  215.  
  216. # Increase number of incoming connections
  217. net.core.somaxconn = 32768
  218.  
  219. # Increase number of incoming connections backlog
  220. net.core.netdev_max_backlog = 16384
  221. net.core.dev_weight = 64
  222.  
  223. # Increase the maximum amount of option memory buffers
  224. net.core.optmem_max = 65535
  225.  
  226. # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
  227. net.ipv4.tcp_max_tw_buckets = 1440000
  228.  
  229. # try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
  230. net.ipv4.tcp_tw_recycle = 0
  231. net.ipv4.tcp_tw_reuse = 1
  232.  
  233. # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
  234. net.ipv4.tcp_max_orphans = 16384
  235. net.ipv4.tcp_orphan_retries = 0
  236.  
  237. # Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
  238. net.ipv4.ipfrag_low_thresh = 196608
  239. net.ipv6.ip6frag_low_thresh = 196608
  240. net.ipv4.ipfrag_high_thresh = 262144
  241. net.ipv6.ip6frag_high_thresh = 262144
  242.  
  243.  
  244. # don't cache ssthresh from previous connection
  245. net.ipv4.tcp_no_metrics_save = 1
  246. net.ipv4.tcp_moderate_rcvbuf = 1
  247.  
  248. # Increase size of RPC datagram queue length
  249. net.unix.max_dgram_qlen = 50
  250.  
  251. # Don't allow the arp table to become bigger than this
  252. net.ipv4.neigh.default.gc_thresh3 = 2048
  253.  
  254. # Tell the gc when to become aggressive with arp table cleaning.
  255. # Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
  256. net.ipv4.neigh.default.gc_thresh2 = 1024
  257.  
  258. # Adjust where the gc will leave arp table alone - set to 32.
  259. net.ipv4.neigh.default.gc_thresh1 = 32
  260.  
  261. # Adjust to arp table gc to clean-up more often
  262. net.ipv4.neigh.default.gc_interval = 30
  263.  
  264. # Increase TCP queue length
  265. net.ipv4.neigh.default.proxy_qlen = 96
  266. net.ipv4.neigh.default.unres_qlen = 6
  267.  
  268. # Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
  269. net.ipv4.tcp_ecn = 1
  270. net.ipv4.tcp_reordering = 3
  271.  
  272. # How many times to retry killing an alive TCP connection
  273. net.ipv4.tcp_retries2 = 15
  274. net.ipv4.tcp_retries1 = 3
  275.  
  276. # Avoid falling back to slow start after a connection goes idle
  277. # keeps our cwnd large with the keep alive connections (kernel > 3.6)
  278. net.ipv4.tcp_slow_start_after_idle = 0
  279.  
  280. # Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
  281. net.ipv4.tcp_fastopen = 3
  282.  
  283. # This will enusre that immediatly subsequent connections use the new values
  284. net.ipv4.route.flush = 1
  285. net.ipv6.route.flush = 1
  286.  
  287.  
  288.  
  289. ###
  290. ### Comments/suggestions/additions are welcome!
  291. ###

Paste is for source code and general debugging text.

Login or Register to edit, delete and keep track of your pastes and more.

Raw Paste

Login or Register to edit or fork this paste. It's free.