sysctl.conf

1. # Kernel sysctl configuration file for Linux
2. #
3. # Version 1.12 - 2015-09-30
4. # Michiel Klaver - IT Professional
5. # http://klaver.it/linux/ for the latest version - http://klaver.it/bsd/ for a BSD variant
6. #
7. # This file should be saved as /etc/sysctl.conf and can be activated using the command:
8. # sysctl -e -p /etc/sysctl.conf
9. #
10. # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and sysctl.conf(5) for more details.
11. #
12. # Tested with: Ubuntu 14.04 LTS kernel version 3.13
13. #              Debian 7 kernel version 3.2
14. #              CentOS 7 kernel version 3.10
15.  
16. #
17. # Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available
18. # Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates
19. # DO NOT USE at busy networks or xDSL/Cable connections where packetloss can be expected
20. # ----------
21.  
22. # Credits:
23. # http://www.enigma.id.au/linux_tuning.txt
24. # http://www.securityfocus.com/infocus/1729
25. # http://fasterdata.es.net/TCP-tuning/linux.html
26. # http://fedorahosted.org/ktune/browser/sysctl.ktune
27. # http://www.cymru.com/Documents/ip-stack-tuning.html
28. # http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
29. # http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
30. # http://knol.google.com/k/linux-performance-tuning-and-measurement
31. # http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
32. # http://www.redbooks.ibm.com/abstracts/REDP4285.html
33. # http://www.speedguide.net/read_articles.php?id=121
34. # http://lartc.org/howto/lartc.kernel.obscure.html
35. # http://en.wikipedia.org/wiki/Sysctl
36.  
37.  
38.  
39. ###
40. ### GENERAL SYSTEM SECURITY OPTIONS ###
41. ###
42.  
43. # Controls the System Request debugging functionality of the kernel
44. kernel.sysrq = 0
45.  
46. # Controls whether core dumps will append the PID to the core filename.
47. # Useful for debugging multi-threaded applications.
48. kernel.core_uses_pid = 1
49.  
50. #Allow for more PIDs
51. kernel.pid_max = 65535
52.  
53. # The contents of /proc/<pid>/maps and smaps files are only visible to
54. # readers that are allowed to ptrace() the process
55. kernel.maps_protect = 1
56.  
57. #Enable ExecShield protection
58. kernel.exec-shield = 1
59. kernel.randomize_va_space = 2
60.  
61. # Controls the maximum size of a message, in bytes
62. kernel.msgmnb = 65535
63.  
64. # Controls the default maxmimum size of a mesage queue
65. kernel.msgmax = 65535
66.  
67. # Restrict core dumps
68. fs.suid_dumpable = 0
69.  
70. # Hide exposed kernel pointers
71. kernel.kptr_restrict = 1
72.  
73.  
74.  
75. ###
76. ### IMPROVE SYSTEM MEMORY MANAGEMENT ###
77. ###
78.  
79. # Increase size of file handles and inode cache
80. fs.file-max = 209708
81.  
82. # Do less swapping
83. vm.swappiness = 30
84. vm.dirty_ratio = 30
85. vm.dirty_background_ratio = 5
86.  
87. # specifies the minimum virtual address that a process is allowed to mmap
88. vm.mmap_min_addr = 4096
89.  
90. # 50% overcommitment of available memory
91. vm.overcommit_ratio = 50
92. vm.overcommit_memory = 0
93.  
94. # Set maximum amount of memory allocated to shm to 256MB
95. kernel.shmmax = 268435456
96. kernel.shmall = 268435456
97.  
98. # Keep at least 64MB of free RAM space available
99. vm.min_free_kbytes = 65535
100.  
101.  
102.  
103. ###
104. ### GENERAL NETWORK SECURITY OPTIONS ###
105. ###
106.  
107. #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
108. net.ipv4.tcp_syncookies = 1
109. net.ipv4.tcp_syn_retries = 2
110. net.ipv4.tcp_synack_retries = 2
111. net.ipv4.tcp_max_syn_backlog = 4096
112.  
113. # Disables packet forwarding
114. net.ipv4.ip_forward = 0
115. net.ipv4.conf.all.forwarding = 0
116. net.ipv4.conf.default.forwarding = 0
117. net.ipv6.conf.all.forwarding = 0
118. net.ipv6.conf.default.forwarding = 0
119.  
120. # Disables IP source routing
121. net.ipv4.conf.all.send_redirects = 0
122. net.ipv4.conf.default.send_redirects = 0
123. net.ipv4.conf.all.accept_source_route = 0
124. net.ipv4.conf.default.accept_source_route = 0
125. net.ipv6.conf.all.accept_source_route = 0
126. net.ipv6.conf.default.accept_source_route = 0
127.  
128. # Enable IP spoofing protection, turn on source route verification
129. net.ipv4.conf.all.rp_filter = 1
130. net.ipv4.conf.default.rp_filter = 1
131.  
132. # Disable ICMP Redirect Acceptance
133. net.ipv4.conf.all.accept_redirects = 0
134. net.ipv4.conf.default.accept_redirects = 0
135. net.ipv4.conf.all.secure_redirects = 0
136. net.ipv4.conf.default.secure_redirects = 0
137. net.ipv6.conf.all.accept_redirects = 0
138. net.ipv6.conf.default.accept_redirects = 0
139.  
140. # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
141. net.ipv4.conf.all.log_martians = 1
142. net.ipv4.conf.default.log_martians = 1
143.  
144. # Decrease the time default value for tcp_fin_timeout connection
145. net.ipv4.tcp_fin_timeout = 7
146.  
147. # Decrease the time default value for connections to keep alive
148. net.ipv4.tcp_keepalive_time = 300
149. net.ipv4.tcp_keepalive_probes = 5
150. net.ipv4.tcp_keepalive_intvl = 15
151.  
152. # Don't relay bootp
153. net.ipv4.conf.all.bootp_relay = 0
154.  
155. # Don't proxy arp for anyone
156. net.ipv4.conf.all.proxy_arp = 0
157.  
158. # Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
159. net.ipv4.tcp_timestamps = 1
160.  
161. # Don't ignore directed pings
162. net.ipv4.icmp_echo_ignore_all = 0
163.  
164. # Enable ignoring broadcasts request
165. net.ipv4.icmp_echo_ignore_broadcasts = 1
166.  
167. # Enable bad error message Protection
168. net.ipv4.icmp_ignore_bogus_error_responses = 1
169.  
170. # Allowed local port range
171. net.ipv4.ip_local_port_range = 16384 65535
172.  
173. # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
174. net.ipv4.tcp_rfc1337 = 1
175.  
176. # Do not auto-configure IPv6
177. net.ipv6.conf.all.autoconf=0
178. net.ipv6.conf.all.accept_ra=0
179. net.ipv6.conf.default.autoconf=0
180. net.ipv6.conf.default.accept_ra=0
181. net.ipv6.conf.eth0.autoconf=0
182. net.ipv6.conf.eth0.accept_ra=0
183.  
184.  
185.  
186. ###
187. ### TUNING NETWORK PERFORMANCE ###
188. ###
189.  
190. # For high-bandwidth low-latency networks, use 'htcp' congestion control
191. # Do a 'modprobe tcp_htcp' first
192. net.ipv4.tcp_congestion_control = htcp
193.  
194. # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
195. net.core.default_qdisc = fq
196.  
197. # Turn on the tcp_window_scaling
198. net.ipv4.tcp_window_scaling = 1
199.  
200. # Increase the read-buffer space allocatable
201. net.ipv4.tcp_rmem = 8192 87380 16777216
202. net.ipv4.udp_rmem_min = 16384
203. net.core.rmem_default = 262144
204. net.core.rmem_max = 16777216
205.  
206. # Increase the write-buffer-space allocatable
207. net.ipv4.tcp_wmem = 8192 65536 16777216
208. net.ipv4.udp_wmem_min = 16384
209. net.core.wmem_default = 262144
210. net.core.wmem_max = 16777216
211.  
212. # Increase number of incoming connections
213. net.core.somaxconn = 32768
214.  
215. # Increase number of incoming connections backlog
216. net.core.netdev_max_backlog = 16384
217. net.core.dev_weight = 64
218.  
219. # Increase the maximum amount of option memory buffers
220. net.core.optmem_max = 65535
221.  
222. # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
223. net.ipv4.tcp_max_tw_buckets = 1440000
224.  
225. # try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
226. net.ipv4.tcp_tw_recycle = 0
227. net.ipv4.tcp_tw_reuse = 1
228.  
229. # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
230. net.ipv4.tcp_max_orphans = 16384
231. net.ipv4.tcp_orphan_retries = 0
232.  
233. # Increase the maximum memory used to reassemble IP fragments
234. net.ipv4.ipfrag_high_thresh = 512000
235. net.ipv4.ipfrag_low_thresh = 446464
236.  
237. # don't cache ssthresh from previous connection
238. net.ipv4.tcp_no_metrics_save = 1
239. net.ipv4.tcp_moderate_rcvbuf = 1
240.  
241. # Increase size of RPC datagram queue length
242. net.unix.max_dgram_qlen = 50
243.  
244. # Don't allow the arp table to become bigger than this
245. net.ipv4.neigh.default.gc_thresh3 = 2048
246.  
247. # Tell the gc when to become aggressive with arp table cleaning.
248. # Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
249. net.ipv4.neigh.default.gc_thresh2 = 1024
250.  
251. # Adjust where the gc will leave arp table alone - set to 32.
252. net.ipv4.neigh.default.gc_thresh1 = 32
253.  
254. # Adjust to arp table gc to clean-up more often
255. net.ipv4.neigh.default.gc_interval = 30
256.  
257. # Increase TCP queue length
258. net.ipv4.neigh.default.proxy_qlen = 96
259. net.ipv4.neigh.default.unres_qlen = 6
260.  
261. # Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
262. net.ipv4.tcp_ecn = 1
263. net.ipv4.tcp_reordering = 3
264.  
265. # How many times to retry killing an alive TCP connection
266. net.ipv4.tcp_retries2 = 15
267. net.ipv4.tcp_retries1 = 3
268.  
269. # Avoid falling back to slow start after a connection goes idle
270. # keeps our cwnd large with the keep alive connections (kernel > 3.6)
271. net.ipv4.tcp_slow_start_after_idle = 0
272.  
273. # Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
274. net.ipv4.tcp_fastopen = 3
275.  
276. # This will enusre that immediatly subsequent connections use the new values
277. net.ipv4.route.flush = 1
278. net.ipv6.route.flush = 1
279.  
280.  
281.  
282. ###
283. ### Comments/suggestions/additions are welcome!
284. ###