# Version 1.9 - 2011-03-23 # Michiel Klaver - IT Professional # http://klaver.it/linux/ for the latest version - http://klaver.it/bsd/ for a BSD variant # # This file should be saved as /etc/sysctl.conf and can be activated using the command: # sysctl -e -p /etc/sysctl.conf # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details. # # Tested with: Debian 4 etchnhalf kernel version 2.6.24 default stock out-of-the-box # Debian 5 kernel version 2.6.26 default stock out-of-the-box # CentOS 5.4 kernel 2.6.18 default stock out-of-the-box # # Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available # Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates # DO NOT USE at busy networks or xDSL/Cable connections where packetloss can be expected # ---------- # Credits: # http://www.enigma.id.au/linux_tuning.txt # http://www.securityfocus.com/infocus/1729 # http://fasterdata.es.net/TCP-tuning/linux.html # http://fedorahosted.org/ktune/browser/sysctl.ktune # http://www.cymru.com/Documents/ip-stack-tuning.html # http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt # http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html # http://knol.google.com/k/linux-performance-tuning-and-measurement # http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/ # http://www.redbooks.ibm.com/abstracts/REDP4285.html # http://www.speedguide.net/read_articles.php?id=121 # http://lartc.org/howto/lartc.kernel.obscure.html # http://en.wikipedia.org/wiki/Sysctl ### ### GENERAL SYSTEM SECURITY OPTIONS ### ### # Auto-reboot linux 30 seconds after a kernel panic kernel.panic = 30 kernel.panic_on_oops = 30 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 #Allow for more PIDs kernel.pid_max = 65536 # The contents of /proc/<pid>/maps and smaps files are only visible to # readers that are allowed to ptrace() the process kernel.maps_protect = 1 #Enable ExecShield protection kernel.exec-shield = 1 kernel.randomize_va_space = 1 # Controls the maximum size of a message, in bytes kernel.msgmnb = 65536 # Controls the default maxmimum size of a mesage queue kernel.msgmax = 65536 ### ### IMPROVE SYSTEM MEMORY MANAGEMENT ### ### # Increase size of file handles and inode cache fs.file-max = 209708 # Do less swapping vm.swappiness = 10 vm.dirty_ratio = 60 vm.dirty_background_ratio = 2 # specifies the minimum virtual address that a process is allowed to mmap vm.mmap_min_addr = 4096 # No overcommitment of available memory vm.overcommit_ratio = 0 vm.overcommit_memory = 0 # Set maximum amount of memory allocated to shm to 256MB kernel.shmmax = 268435456 kernel.shmall = 268435456 # Keep at least 64MB of free RAM space available vm.min_free_kbytes = 65536 ### ### GENERAL NETWORK SECURITY OPTIONS ### ### #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_max_syn_backlog = 4096 # Disables packet forwarding net.ipv4.ip_forward = 0 net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.default.forwarding = 0 net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.default.forwarding = 0 # Disables IP source routing net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Disable Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 15 # Decrease the time default value for connections to keep alive net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_keepalive_intvl = 15 # Don't relay bootp net.ipv4.conf.all.bootp_relay = 0 # Don't proxy arp for anyone net.ipv4.conf.all.proxy_arp = 0 # Turn on SACK net.ipv4.tcp_dsack = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_fack = 1 # Turn on the tcp_timestamps net.ipv4.tcp_timestamps = 1 # Don't ignore directed pings net.ipv4.icmp_echo_ignore_all = 0 # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Allowed local port range net.ipv4.ip_local_port_range = 16384 65536 # Enable a fix for RFC1337 - time-wait assassination hazards in TCP net.ipv4.tcp_rfc1337 = 1 ### ### TUNING NETWORK PERFORMANCE ### ### # Do a 'modprobe tcp_cubic' first net.ipv4.tcp_congestion_control = cubic # Turn on the tcp_window_scaling net.ipv4.tcp_window_scaling = 1 # Increase the maximum total buffer-space allocatable # This is measured in units of pages (4096 bytes) net.ipv4.tcp_mem = 65536 131072 262144 net.ipv4.udp_mem = 65536 131072 262144 # Increase the read-buffer space allocatable net.ipv4.tcp_rmem = 8192 87380 16777216 net.ipv4.udp_rmem_min = 16384 net.core.rmem_default = 131072 net.core.rmem_max = 16777216 # Increase the write-buffer-space allocatable net.ipv4.tcp_wmem = 8192 65536 16777216 net.ipv4.udp_wmem_min = 16384 net.core.wmem_default = 131072 net.core.wmem_max = 16777216 # Increase number of incoming connections net.core.somaxconn = 32768 # Increase number of incoming connections backlog net.core.netdev_max_backlog = 4096 net.core.dev_weight = 64 # Increase the maximum amount of option memory buffers net.core.optmem_max = 65536 # Increase the maximum number of skb-heads to be cached #net.core.hot_list_length = 1024 # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks net.ipv4.tcp_max_tw_buckets = 1440000 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory net.ipv4.tcp_max_orphans = 16384 net.ipv4.tcp_orphan_retries = 0 # Increase the maximum memory used to reassemble IP fragments net.ipv4.ipfrag_high_thresh = 512000 net.ipv4.ipfrag_low_thresh = 446464 # don't cache ssthresh from previous connection net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_moderate_rcvbuf = 1 # Increase RPC slots sunrpc.tcp_slot_table_entries = 32 sunrpc.udp_slot_table_entries = 32 # Increase size of RPC datagram queue length net.unix.max_dgram_qlen = 50 # Don't allow the arp table to become bigger than this net.ipv4.neigh.default.gc_thresh3 = 2048 # Tell the gc when to become aggressive with arp table cleaning. # Adjust this based on size of the LAN. 1024 is suitable for most /24 networks net.ipv4.neigh.default.gc_thresh2 = 1024 # Adjust where the gc will leave arp table alone - set to 32. net.ipv4.neigh.default.gc_thresh1 = 32 # Adjust to arp table gc to clean-up more often net.ipv4.neigh.default.gc_interval = 30 # Increase TCP queue length net.ipv4.neigh.default.proxy_qlen = 96 net.ipv4.neigh.default.unres_qlen = 6 # Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you net.ipv4.tcp_ecn = 1 net.ipv4.tcp_ecn = 2 net.ipv4.tcp_reordering = 3 # How many times to retry killing an alive TCP connection net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_retries1 = 3 # This will enusre that immediatly subsequent connections use the new values net.ipv4.route.flush = 1 net.ipv6.route.flush = 1 ### ### Comments/suggestions/additions are welcome! ###