Kernel Parameters
Jump to navigation
Jump to search
Settings for sysctl that increase performance or security
Edit files for persistence
vi /etc/sysctl.d/02-netIO.conf
### /etc/sysctl.d/02-netIO.conf ### Kernel settings for TCP # Provide adequate buffer memory. # rmem_max and wmem_max are TCP max buffer size # settable with setsockopt(), in bytes # tcp_rmem and tcp_wmem are per socket in bytes. # tcp_mem is for all TCP streams, in 4096-byte pages. # The following are suggested on IBM's # High Performance Computing page net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.rmem_default = 1048576 net.core.wmem_default = 1048576 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 87380 16777216 # This server might have 2048 clients simultaneously, so: # max(tcp_wmem) * 2 * 2048 / 4096 = 16777216 net.ipv4.tcp_mem = 16777216 16777216 16777216 net.ipv4.udp_rmem_min = 16384 net.ipv4.udp_wmem_min = 16384 # The ancillary buffer is a sequence that contains the size and protocol of incoming packets net.core.optmem_max = 65536 # Upper limit on how many connections the kernel will accept net.core.somaxconn = 16384 # Disable TCP SACK (TCP Selective Acknowledgement), # DSACK (duplicate TCP SACK), and FACK (Forward Acknowledgement) net.ipv4.tcp_sack = 0 net.ipv4.tcp_dsack = 0 net.ipv4.tcp_fack = 0 # Disable the gradual speed increase that's useful # on variable-speed WANs but not for us net.ipv4.tcp_slow_start_after_idle = 0 # Enabling Window Scaling (RFC 1323) increases the maximum receive # window size and allows high-latency connections to achieve # better throughput. net.ipv4.tcp_window_scaling = 1 # Enabling TCP Low Latency effectively tells the operating system # to sacrifice throughput for lower latency. For latency sensitive workloads net.ipv4.tcp_low_latency = 1 # Enabling TCP Fast Open allows application data to be sent in # the initial SYN packet in certain situations. net.ipv4.tcp_fastopen = 1 # Change the amount of time we wait for TIME_WAIT states. # Default is 120s #net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 15 # Maximum number of open connections # Default is 65536 net.nf_conntrack_max = 65536 # Time before an established connection times out. # Default is 4320000 net.netfilter.nf_conntrack_tcp_timeout_established = 600 # Set maximum number of packets, queued on the INPUT side, when the interface # receives packets faster than kernel can process them net.core.netdev_max_backlog = 65536 # TCP Timestamps (default = 1) #net.ipv4.tcp_timestamps = 0 # Fast-fail FIN Connections which are useless. net.ipv4.tcp_fin_timeout = 15 # Change TCP keepalive parameters net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_intvl = 10 net.ipv4.tcp_keepalive_probes = 6 # Kernel options that increase network security # Add some protection against SYN floods net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_syn_retries = 6 net.ipv4.tcp_synack_retries = 3 net.ipv4.tcp_syncookies = 1 # Protect against TCP time-wait assassination hazards net.ipv4.tcp_rfc1337 = 1 # Sets the kernels reverse path filtering mechanism to value 1 (on). # Will do source validation of the packet's received from all the interfaces # on the machine. Protects from attackers that are using ip spoofing # methods to do harm (default): net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 # Log martian packets net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.all.log_martians = 1 # Ignore echo broadcast requests (prevent SMURF attacks) net.ipv4.icmp_echo_ignore_broadcasts = 1 # ICMP routing and redirecting net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.default.secure_redirects = 1 net.ipv4.conf.all.secure_redirects = 1 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.accept_redirects = 0
vi /etc/sysctl.d/99-sysctl.conf
# Lock down access to dmesg kernel.dmesg_restrict = 1 # Prefer to keep pages in RAM rather than swap vm.swappiness=10 # Deny internal kernel information to attackers kernel.kptr_restrict = 2
Load files actively
Once the files are created, they will be loaded automatically at boot. If the server hasn't been rebooted yet then these changes aren't active. To make them active, use sysctl -p to load them.
sudo sysctl -p /etc/sysctl.d/02-netIO.conf sudo sysctl -p /etc/sysctl.d/99-sysctl.conf
