-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
System/Kernel Parameter For Better Security/Performance #37
Comments
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
# Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
# Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1 Found some other useful parameter at http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html |
We have some more at http://rtcamp.com/tutorials/linux/sysctl-conf/ (used on rtCamp.com) We need to find a logical way to tweak these values. As of now we are doing it randomly :| |
I observed Also related - https://rtcamp.com/tutorials/linux/increase-open-files-limit/ |
@MiteshShah lets reduce swap usage
|
About - https://rtcamp.com/tutorials/linux/increase-open-files-limit/ pam limit may not be needed for nginx/php/mysql |
I see a lot of ideas coming up for all sorts of "tuning".
|
@Rippler your concerns are valid. I am also thinking we should avoid over-optimizing at all costs. May be we should touch values like:
Yesterday only I came across this answer - http://askubuntu.com/a/184221/47565 which made me believe it's not quite right to set Any further suggestions are welcome. :-) |
@rahul286 I support your thinking here. Another thing that should perhaps should be considered here is that people don't end up with lower maximum values than before (e.g. if some default is 4096, someone increased it to 100000 and it ends up getting tuned to 65535). |
Can these things be handled differently with docker? Are they still relevant? |
For 8 core CPU and 32GB RAM
The text was updated successfully, but these errors were encountered: