/etc/sysctl.conf can be a powerful way of changing kernel settings at run-time. If you have sysctl.conf support compiled into your kernel, you can edit parameters in the sysctl.conf to change the way your kernel behaves. This article will attempt to outline a number of sysctl configuration options. I've tried to include detailed descriptions, so you can make your own judgements on what I've recommended. Just for reference, I use Annvix (www.annvix.org) Linux and a custom 2.4.32 kernel with the OpenWall (www.openwall.org) patches installed.
net.ipv4.ip_forward = 0
As listed, this will disable IP forwarding from this machine. This disables the ability of this machine to act as a router and forward traffic to other machines. Possible states for this option are 1 and 0.
net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1
This option attempts to verify packet source addresses using reverse patch. This option will require that packets with a particular outgoing source addresses also receive their replies on the same interface as they were sent out. Possible states for this option are 1 and 0. Note: this option has a detrimental effect on linux machines set up as a router that use advanced or policy routing, as it has a tendancy to drop packets.
net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1
This option tells the kernel to log the source address of all packets with no route back to the source address. Martian packets are seemingly "dropped in from Mars," because we have no idea where they came from, or how to get them back. Kernel default is off (0). Possible states are 1 and 0.
net.ipv4.icmp_echo_ignore_broadcasts = 1
This option instructs the kernel to ignore ICMP messages to broadcast or multicast addresses. Helps to prevent smurf attacks among other things, and is generally unneccessary unless you need to know how many hosts on your network are alive. Kernel default is off (0). Possible states are 1 and 0.
net.ipv4.icmp_ignore_bogus_error_responses = 1
This option ignores incorrectly constructed error messages. Basically, it saves space in your logs, since some routers don't send out proper error messages, and oh, hey look, we don't care. Kernel deafult is off (0). Possible states are 1 and 0.
fs.file-max = 8192
This option specifies the max number of file handles that can be opened at one time. Default setting is 4096.
fs.inode-max = 32768
This option specifies the max number of inodes that can be opened at one time. Default setting is 4096.
net.ipv4.ip_local_port_range = 32768 61000
This option defines the range of ports that we allow clients to connect on. The default value of this variable depends on how much RAM your machine has. If you have more than 1024 MB of RAM, this variable will default to a lower bound of 32768 and a higher bound of 61000. Also, see the option I added on "tcp_tw_recycle" below.
net.ipv4.tcp_tw_recycle = 0
This option is somewhat related to the previous option. This option has two possible states, 1 and 0. This option enables fast recycling of sockets in the TCP_WAIT state. This option will increase performance significantly, but can also have an adverse effect on stability It is generally (sometimes) fine to enable this on a local network, but is not advisable when possible network delays ( like those found on the internet) could exist. Possible states are 1 and 0.
net.ipv4.tcp_syncookies = 1
When the server SYN queue is overflowed, this option enables the kernel to send out SYN cookies to verify that the SYN packets it is recieving are legitimate. Note that this option may help performance, but is also a violation of the TCP protocol. Should not be used as a tuning mechanism for heavily loaded servers, instead see tcp_max_syn_backlog, tcp_synack_retries, and tcp_abort_on_overflow. I've included information for them below. Also note that the use of this option disables TCP window scaling. Note that the kernel must be compiled with CONFIG_SYN_COOKIES. Default value is 0. Possible states are 1 and 0.
net.ipv4.tcp_max_syn_backlog = 2048
This option defines the maximum socket queue size for TCP SYN requests. This can be used as an alternative to SYN cookies. Kernel defaults are 128 if you have less than less than 128 MB of RAM, and 1024 if you have more than 128 MB of RAM.
net.ipv4.tcp_synack_retries = 5
This option defines the maximum number of attempts that the kernel will make to establish a connected state on a TIME_WAIT connection. This option is useful for tuning against DoS attacks such as SYN flooding as an alternative to SYN cookies. Kernel default is 5, and each connection takes about 35 seconds, so the default timeout for half-open passive TCP connections is 180 seconds. Takes an integer value, but should be left at 5 or lower, unless there is a really good reason. Default is 5.
net.ipv4.tcp_syn_retries = 5
This option defines the maximum number of attempts that the kernel will make to establish a connected state on an _active_ TCP connection. Note that this is different than tcp_synack_retries in that this relates to connections that the kernel is making actively. Kernel default is 5, and each connection takes about 35 seconds, so the default timeout for active TCP connections is 180 seconds. Takes an integer value, but should be left at 5 or lower, unless there is a really good reason. Default is 5.
net.ipv4.tcp_abort_on_overflow = 0
This option instructs the kernel to send RST responses to incoming connections when the daemon is flooded with connect requests that the daemon cannot handle. If this is set to 0, the system will attempt to handle all requests. As recommended in the sysctl documentation, it is good to leave this as 0, unless absolutely neccessary, as it may affect your clients. It's a last-ditch option.
net.ipv4.tcp_fin_timeout = 10
This option tells the kernel how long to keep connections in the FIN-WAIT-2 state. If the remote end does not properly close its connection, then this option instructs the kernel to drop the connection in 10 seconds. Default is 60.
net.ipv4.tcp_keepalive_time = 1800
This option tells the kernel how long to wait before sending keepalive packets to TCP connections in a keepalive state. This setting is related to tcp_keepalive_probes, and tcp_keepalive_intvl, which are described below. Setting this to 1800 will make the kernel wait 30 minutes before sending any keepalive probes to determine if the connection is still valid. For a connection in keepalive state to be dropped, the kernel waits until tcp_keepalive_time (in our case, 60 seconds). Then, it sends up to tcp_keepalive_probes (default 9) to determine if the host is alive. The probes are sent at the rate defined in tcp_keepalive_intvl (default 75, or 75 every second). Default is 7200.
net.ipv4.tcp_keepalive_probes = 9
This option defines how many probes will be sent to a host after the keepalive timeout is reached. Default is 9.
net.ipv4.tcp_keepalive_intvl = 75
This option defines the interval (in seconds) between sending TCP keepalive probes. Default is 75.
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
Just a quick rundown of TCP windows. There is a lot here, so I didn't feel like commenting it. Default is on.
A "TCP window" is the maximum amount of outstanding data that a user can send on a particular connection, before it requires a response from the reciever acknowledging that the reviever has indeed received at least some of the data. The kernel will only send data up to the TCP window size limit before waiting for a response from the far end. The default TCP window is 32KB. This value is defined in /usr/src/linux/include/net/tcp.h, in the setting #define MAX_TCP_WINDOW 32767U. TCP buffers help to maximize efficiency of a connection. Having low TCP window sizes on a latent connection (like the internet) will decrease efficiency. TCP window scaling (tcp_window_scaling) enables TCP to use windows greater than 64KB. This works in conjunction with TCP's autotuning features. TCP has an autotuning feature which will attempt to determine the best window sizes for connections, automatically. Disabling the tcp_window_scaling feature disables TCP windows and autotuning. For more information see http://www.psc.edu/networking/projects/tcptune/, and the ip-sysctl documentation.
net.ipv4.tcp_timestamps = 0
This option instructs the kernel to disable TCP timestamps. Timestamps are used to calculate Round-Trip Time. With this option enabled (1), data packets are sent with timestamps, and returning ACK packets also carry timestamps. RTT can then be calculated by comparing the values. Timestamps are used by the PAWS (Protection Against Wrapped Sequences) algorithm to ensure that TCP sequence numbers are not wrapped before packets are delivered. Problems arise when packets are latent, and the TCP sequence numbers wrap before the latent packets are delivered. A DoS condition can exist in certain situations with this option enabled, as PAWS sometimes can be tricked into dropping valid packets. Also, leaving this enabled means it's just "one more thing" for the kernel to do. Default is 1. Possible values are 1 and 0.
net.ipv4.conf.all.accept_source_route
This option will disable source routing for this machine. If this machine isn't a router, you probably don't need source routing. Default is 1. Possible values are 1 and 0.
net.ipv4.conf.all.send_redirects = 0
This option instructs the kernel to NOT send ICMP redirect messages. Other related ICMP options are listed below. Possible values are 1 and 0.
net.ipv4.ipfrag_time = 20
This option tells the handler how long to keep an IP fragment in memory, 20 seconds in this case. Only fragments that can not yet be assembled are kept here, since fragments that can be assembled have already been moved.
net.ipv4.conf.all.accept_redirects = 0
Refuse to accept IP redirects We don't want someone telling us that there is a 'faster' or 'better' path, and potentially hijacking our connection. default is on (1).
net.ipv4.tcp_ecn = 0
don't use Explicit Congestion Notification in our packets. Some routers don't like it.
net.ipv4.tcp_rfc1337 = 1
This option requires compliance with RFC1337. Enabling this option will ignore RST packets that are sent to a connection in a TIME_WAIT state. Instead, the connection will wait for the connection to timeout like normal. I dunno what you guys comments on this is, I usually leave it on.
net.ipv4.conf.all.proxy_arp = 0
We don't really want to proxy ARP for anyone, do we? This option is turned off by default, but just to be safe...
net.ipv4.route.flush = 1
Disable autocaching of window sizes in the routing table.
sysctl command
The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:
# sysctl -a
# sysctl -A
# sysctl mib
# sysctl net.ipv4.conf.all.rp_filter
To load settings, enter:
# sysctl -p
Sample /etc/sysctl.conf
Edit /etc/sysctl.conf and update it as follows. The file is documented with comments. However, I recommend reading the official Linux kernel sysctl tuning help file (see below):# The following is suitable for dedicated web server, mail, ftp server etc. # --------------------------------------- # BOOLEAN Values: # a) 0 (zero) - disabled / no / false # b) Non zero - enabled / yes / true # -------------------------------------- # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1 # Controls the use of TCP syncookies #net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 2 ########## IPv4 networking start ############## # Send redirects, if router, but this is just server net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Accept packets with SRR option? No net.ipv4.conf.all.accept_source_route = 0 # Accept Redirects? No, this is not router net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 # Log packets with impossible addresses to kernel log? yes net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast net.ipv4.icmp_echo_ignore_broadcasts = 1 # Prevent against the common 'syn flood attack' net.ipv4.tcp_syncookies = 1 # Enable source validation by reversed path, as specified in RFC1812 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 ########## IPv6 networking start ############## # Number of Router Solicitations to send until assuming no routers are present. # This is host and not router net.ipv6.conf.default.router_solicitations = 0 # Accept Router Preference in RA? net.ipv6.conf.default.accept_ra_rtr_pref = 0 # Learn Prefix Information in Router Advertisement net.ipv6.conf.default.accept_ra_pinfo = 0 # Setting controls whether the system will accept Hop Limit settings from a router advertisement net.ipv6.conf.default.accept_ra_defrtr = 0 #router advertisements can cause the system to assign a global unicast address to an interface net.ipv6.conf.default.autoconf = 0 #how many neighbor solicitations to send out per address? net.ipv6.conf.default.dad_transmits = 0 # How many global unicast IPv6 addresses can be assigned to each interface? net.ipv6.conf.default.max_addresses = 1 ########## IPv6 networking ends ############## #Enable ExecShield protection kernel.exec-shield = 1 kernel.randomize_va_space = 1 # TCP and memory optimization # increase TCP max buffer size setable using setsockopt() #net.ipv4.tcp_rmem = 4096 87380 8388608 #net.ipv4.tcp_wmem = 4096 87380 8388608 # increase Linux auto tuning TCP buffer limits #net.core.rmem_max = 8388608 #net.core.wmem_max = 8388608 #net.core.netdev_max_backlog = 5000 #net.ipv4.tcp_window_scaling = 1 # increase system file descriptor limit fs.file-max = 65535 #Allow for more PIDs kernel.pid_max = 65536 #Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000
0 comments:
Post a Comment