msx's /etc/sysctl.conf

1. #
2. # Kernel sysctl configuration
3. #
4.  
5. # Disable packet forwarding
6. net.ipv4.ip_forward=0
7.  
8. # Disable the magic-sysrq key (console security issues)
9. kernel.sysrq = 1
10.  
11. # Enable TCP SYN Cookie Protection
12. #net.ipv4.tcp_syncookies = 1
13.  
14. fs.inotify.max_user_watches = 524288
15. vm.swappiness = 10
16. vm.vfs_cache_pressure = 50
17.  
18.  
19. ###
20. # Disable syncookies (syncookies are not RFC compliant and can use too muche resources)
21. net.ipv4.tcp_syncookies = 0
22.  
23. # Basic TCP tuning
24. net.ipv4.tcp_keepalive_time = 600
25. net.ipv4.tcp_synack_retries = 3
26. net.ipv4.tcp_syn_retries = 3
27.  
28. # RFC1337
29. net.ipv4.tcp_rfc1337 = 1
30.  
31. # Defines the local port range that is used by TCP and UDP
32. # to choose the local port
33. #net.ipv4.ip_local_port_range = 1024-65535
34.  
35. # Log packets with impossible addresses to kernel log
36. net.ipv4.conf.all.log_martians = 1
37.  
38. # Minimum interval between garbage collection passes This interval is
39. # in effect under high memory pressure on the pool
40. net.ipv4.inet_peer_gc_mintime = 5
41.  
42. # Disable Explicit Congestion Notification in TCP
43. net.ipv4.tcp_ecn = 0
44.  
45. # Enable window scaling as defined in RFC1323
46. net.ipv4.tcp_window_scaling = 1
47.  
48. # Enable timestamps (RFC1323)
49. net.ipv4.tcp_timestamps = 1
50.  
51. # Enable select acknowledgments
52. net.ipv4.tcp_sack = 1
53.  
54. # Enable FACK congestion avoidance and fast restransmission
55. net.ipv4.tcp_fack = 1
56.  
57. # Allows TCP to send "duplicate" SACKs
58. net.ipv4.tcp_dsack = 1
59.  
60. # Controls IP packet forwarding
61. net.ipv4.ip_forward = 0
62.  
63. # No controls source route verification (RFC1812)
64. net.ipv4.conf.default.rp_filter = 0
65.  
66. # Enable fast recycling TIME-WAIT sockets
67. net.ipv4.tcp_tw_recycle = 1
68.  
69. # TODO : change TCP_SYNQ_HSIZE in include/net/tcp.h
70. # to keep TCP_SYNQ_HSIZE*16<=tcp_max_syn_backlog
71. net.ipv4.tcp_max_syn_backlog = 20000
72.  
73. # tells the kernel how many TCP sockets that are not attached
74. # to any user file handle to maintain
75. #net.ipv4.tcp_max_orphans = $max_orphan
76.  
77. # How may times to retry before killing TCP connection, closed by our side
78. net.ipv4.tcp_orphan_retries = 1
79.  
80. # how long to keep sockets in the state FIN-WAIT-2
81. # if we were the one closing the socket
82. net.ipv4.tcp_fin_timeout = 20
83.  
84. # maximum number of sockets in TIME-WAIT to be held simultaneously
85. #net.ipv4.tcp_max_tw_buckets = $max_tw
86.  
87. # don't cache ssthresh from previous connection
88. net.ipv4.tcp_no_metrics_save = 1
89. net.ipv4.tcp_moderate_rcvbuf = 1
90.  
91. # increase Linux autotuning TCP buffer limits
92. net.ipv4.tcp_rmem = 4096 87380 16777216
93. net.ipv4.tcp_wmem = 4096 65536 16777216
94.  
95. # increase TCP max buffer size
96. net.core.rmem_max = 16777216
97. net.core.wmem_max = 16777216
98.  
99. net.core.netdev_max_backlog = 2500
100. net.core.somaxconn = 65000
101.  
102. # You can monitor the kernel behavior with regard to the dirty
103. # pages by using grep -A 1 dirty /proc/vmstat
104. #vm.dirty_background_ratio = $vm_dirty_bg_ratio
105. #vm.dirty_ratio = $vm_dirty_ratio
106.  
107. # required free memory (set to 1% of physical ram)
108. vm.min_free_kbytes = 80000
109.  
110. # system open file limit
111. #fs.file-max = $file_max
112.  
113. # Core dump suidsafe
114. fs.suid_dumpable = 2
115.  
116. kernel.printk = 4 4 1 7
117. kernel.core_uses_pid = 1
118. kernel.msgmax = 65536
119. kernel.msgmnb = 65536
120.  
121. # Maximum shared segment size in bytes
122. #kernel.shmmax = $shmmax
123.  
124. # Maximum number of shared memory segments in pages
125. #kernel.shmall = 2097152
126.  
127.  
128.  
129.  
130. # Kernel sysctl configuration file for Linux
131. #
132. # Version 1.9 - 2011-03-23
133. # Michiel Klaver - IT Professional
134. # http://klaver.it/linux/ for the latest version - http://klaver.it/bsd/ for a BSD variant
135. #
136. # This file should be saved as /etc/sysctl.conf and can be activated using the command:
137. # sysctl -e -p /etc/sysctl.conf
138. #
139. # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and sysctl.conf(5) for more details.
140. #
141. # Tested with: Debian 4 etchnhalf kernel version 2.6.24 default stock out-of-the-box
142. #              Debian 5 kernel version 2.6.26 default stock out-of-the-box
143. #              CentOS 5.4 kernel 2.6.18 default stock out-of-the-box
144.  
145. #
146. # Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available
147. # Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates
148. # DO NOT USE at busy networks or xDSL/Cable connections where packetloss can be expected
149. # ----------
150.  
151. # Credits:
152. # http://www.enigma.id.au/linux_tuning.txt
153. # http://www.securityfocus.com/infocus/1729
154. # http://fasterdata.es.net/TCP-tuning/linux.html
155. # http://fedorahosted.org/ktune/browser/sysctl.ktune
156. # http://www.cymru.com/Documents/ip-stack-tuning.html
157. # http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
158. # http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
159. # http://knol.google.com/k/linux-performance-tuning-and-measurement
160. # http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
161. # http://www.redbooks.ibm.com/abstracts/REDP4285.html
162. # http://www.speedguide.net/read_articles.php?id=121
163. # http://lartc.org/howto/lartc.kernel.obscure.html
164. # http://en.wikipedia.org/wiki/Sysctl
165.  
166.  
167.  
168. ###
169. ### GENERAL SYSTEM SECURITY OPTIONS ###
170. ###
171.  
172. # Auto-reboot linux 30 seconds after a kernel panic
173. kernel.panic = 10
174. kernel.panic_on_oops = 15
175.  
176. # Controls the System Request debugging functionality of the kernel
177. #kernel.sysrq = 0
178.  
179. # Controls whether core dumps will append the PID to the core filename.
180. # Useful for debugging multi-threaded applications.
181. #kernel.core_uses_pid = 1
182.  
183. #Allow for more PIDs
184. #kernel.pid_max = 65536
185.  
186. # The contents of /proc/<pid>/maps and smaps files are only visible to
187. # readers that are allowed to ptrace() the process
188. kernel.maps_protect = 1
189.  
190. #Enable ExecShield protection
191. kernel.exec-shield = 1
192. kernel.randomize_va_space = 1
193.  
194. # Controls the maximum size of a message, in bytes
195. #kernel.msgmnb = 65536
196.  
197. # Controls the default maxmimum size of a mesage queue
198. #kernel.msgmax = 65536
199.  
200.  
201.  
202. ###
203. ### IMPROVE SYSTEM MEMORY MANAGEMENT ###
204. ###
205.  
206. # Increase size of file handles and inode cache
207. #fs.file-max = 209708
208.  
209. # Do less swapping
210. #vm.swappiness = 10
211. vm.dirty_ratio = 60
212. vm.dirty_background_ratio = 2
213.  
214. # specifies the minimum virtual address that a process is allowed to mmap
215. vm.mmap_min_addr = 4096
216.  
217. # No overcommitment of available memory
218. vm.overcommit_ratio = 0
219. vm.overcommit_memory = 0
220.  
221. # Set maximum amount of memory allocated to shm to 256MB
222. kernel.shmmax = 268435456
223. kernel.shmall = 268435456
224.  
225. # Keep at least 64MB of free RAM space available
226. vm.min_free_kbytes = 65536
227.  
228.  
229.  
230. ###
231. ### GENERAL NETWORK SECURITY OPTIONS ###
232. ###
233.  
234. #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
235. net.ipv4.tcp_syncookies = 1
236. net.ipv4.tcp_syn_retries = 5
237. net.ipv4.tcp_synack_retries = 2
238. net.ipv4.tcp_max_syn_backlog = 4096
239.  
240. # Disables packet forwarding
241. net.ipv4.ip_forward = 0
242. net.ipv4.conf.all.forwarding = 0
243. net.ipv4.conf.default.forwarding = 0
244. net.ipv6.conf.all.forwarding = 0
245. net.ipv6.conf.default.forwarding = 0
246.  
247. # Disables IP source routing
248. net.ipv4.conf.all.send_redirects = 0
249. net.ipv4.conf.default.send_redirects = 0
250. net.ipv4.conf.all.accept_source_route = 0
251. net.ipv4.conf.default.accept_source_route = 0
252. net.ipv6.conf.all.accept_source_route = 0
253. net.ipv6.conf.default.accept_source_route = 0
254.  
255. # Enable IP spoofing protection, turn on source route verification
256. net.ipv4.conf.all.rp_filter = 1
257. net.ipv4.conf.default.rp_filter = 1
258.  
259. # Disable ICMP Redirect Acceptance
260. net.ipv4.conf.all.accept_redirects = 0
261. net.ipv4.conf.default.accept_redirects = 0
262. net.ipv6.conf.all.accept_redirects = 0
263. net.ipv6.conf.default.accept_redirects = 0
264.  
265. # Disable Log Spoofed Packets, Source Routed Packets, Redirect Packets
266. net.ipv4.conf.all.log_martians = 0
267. net.ipv4.conf.default.log_martians = 0
268.  
269. # Decrease the time default value for tcp_fin_timeout connection
270. net.ipv4.tcp_fin_timeout = 15
271.  
272. # Decrease the time default value for connections to keep alive
273. net.ipv4.tcp_keepalive_time = 300
274. net.ipv4.tcp_keepalive_probes = 5
275. net.ipv4.tcp_keepalive_intvl = 15
276.  
277. # Don't relay bootp
278. net.ipv4.conf.all.bootp_relay = 0
279.  
280. # Don't proxy arp for anyone
281. net.ipv4.conf.all.proxy_arp = 0
282.  
283. # Turn on SACK
284. net.ipv4.tcp_dsack = 1
285. net.ipv4.tcp_sack = 1
286. net.ipv4.tcp_fack = 1
287.  
288. # Turn on the tcp_timestamps
289. net.ipv4.tcp_timestamps = 1
290.  
291. # Don't ignore directed pings
292. net.ipv4.icmp_echo_ignore_all = 0
293.  
294. # Enable ignoring broadcasts request
295. net.ipv4.icmp_echo_ignore_broadcasts = 1
296.  
297. # Enable bad error message Protection
298. net.ipv4.icmp_ignore_bogus_error_responses = 1
299.  
300. # Allowed local port range
301. #net.ipv4.ip_local_port_range = 16384 65536
302.  
303. # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
304. net.ipv4.tcp_rfc1337 = 1
305.  
306.  
307.  
308. ###
309. ### TUNING NETWORK PERFORMANCE ###
310. ###
311.  
312. # Do a 'modprobe tcp_cubic' first
313. net.ipv4.tcp_congestion_control = cubic
314.  
315. # Turn on the tcp_window_scaling
316. net.ipv4.tcp_window_scaling = 1
317.  
318. # Increase the maximum total buffer-space allocatable
319. # This is measured in units of pages (4096 bytes)
320. net.ipv4.tcp_mem = 65536 131072 262144
321. net.ipv4.udp_mem = 65536 131072 262144
322.  
323. # Increase the read-buffer space allocatable
324. net.ipv4.tcp_rmem = 8192 87380 16777216
325. net.ipv4.udp_rmem_min = 16384
326. net.core.rmem_default = 131072
327. net.core.rmem_max = 16777216
328.  
329. # Increase the write-buffer-space allocatable
330. net.ipv4.tcp_wmem = 8192 65536 16777216
331. net.ipv4.udp_wmem_min = 16384
332. net.core.wmem_default = 131072
333. net.core.wmem_max = 16777216
334.  
335. # Increase number of incoming connections
336. net.core.somaxconn = 32768
337.  
338. # Increase number of incoming connections backlog
339. net.core.netdev_max_backlog = 4096
340. net.core.dev_weight = 64
341.  
342. # Increase the maximum amount of option memory buffers
343. net.core.optmem_max = 65536
344.  
345. # Increase the maximum number of skb-heads to be cached
346. net.core.hot_list_length = 1024
347.  
348. # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
349. net.ipv4.tcp_max_tw_buckets = 1440000
350. net.ipv4.tcp_tw_recycle = 1
351. net.ipv4.tcp_tw_reuse = 1
352.  
353. # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
354. net.ipv4.tcp_max_orphans = 16384
355. net.ipv4.tcp_orphan_retries = 0
356.  
357. # Increase the maximum memory used to reassemble IP fragments
358. net.ipv4.ipfrag_high_thresh = 512000
359. net.ipv4.ipfrag_low_thresh = 446464
360.  
361. # don't cache ssthresh from previous connection
362. net.ipv4.tcp_no_metrics_save = 1
363. net.ipv4.tcp_moderate_rcvbuf = 1
364.  
365. # Increase RPC slots
366. sunrpc.tcp_slot_table_entries = 32
367. sunrpc.udp_slot_table_entries = 32
368.  
369. # Increase size of RPC datagram queue length
370. net.unix.max_dgram_qlen = 50
371.  
372. # Don't allow the arp table to become bigger than this
373. net.ipv4.neigh.default.gc_thresh3 = 2048
374.  
375. # Tell the gc when to become aggressive with arp table cleaning.
376. # Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
377. net.ipv4.neigh.default.gc_thresh2 = 1024
378.  
379. # Adjust where the gc will leave arp table alone - set to 32.
380. net.ipv4.neigh.default.gc_thresh1 = 32
381.  
382. # Adjust to arp table gc to clean-up more often
383. net.ipv4.neigh.default.gc_interval = 30
384.  
385. # Increase TCP queue length
386. net.ipv4.neigh.default.proxy_qlen = 96
387. net.ipv4.neigh.default.unres_qlen = 6
388.  
389. # Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
390. net.ipv4.tcp_ecn = 1
391. net.ipv4.tcp_ecn = 2
392. net.ipv4.tcp_reordering = 3
393.  
394. # How many times to retry killing an alive TCP connection
395. net.ipv4.tcp_retries2 = 15
396. net.ipv4.tcp_retries1 = 3
397.  
398. # This will enusre that immediatly subsequent connections use the new values
399. net.ipv4.route.flush = 1
400. net.ipv6.route.flush = 1