Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

227 lines (168 sloc) 8.729 kb
# /etc/sysctl.d/bobdo.conf
# ----------------------------------------------------------------------
# This file is used to tune various system, kernel and network features.
#
# To apply the settings of this file to one of the following:
# cat /path/to/bobdo.conf > /etc/sysctl.conf && sysctl -p
# or
# sysctl -p /path/to/bobdo.conf
#
# The following list of links are some good reads on this topic!
#
# http://www.frozentux.net/documents/ipsysctl-tutorial/
# http://fasterdata.es.net/host-tuning/linux/
# http://www.cyberciti.biz/files/linux-kernel/Documentation/networking/ip-sysctl.txt
# http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/
# http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html
# http://itresident.com/nginx/nginx-and-php-fpm-for-heavy-load-wordpress-web-server-with-high-traffic-2000-concurrent-connections/
# http://www.postgresql.org/docs/devel/static/kernel-resources.html
# ----------------------------------------------------------------------
# ----------------------------------------------------------------------
# KERNEL
# ----------------------------------------------------------------------
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Change this to your domain!
kernel.domainname = bobdo.net
# Turn on ExecShield feature.
kernel.exec-shield = 1
# Change this to your hostname!
kernel.hostname = bobdo
# Reboot the server automatically after 10 seconds of kernel panic.
kernel.panic = 10
# Increase process identifiers limit; 2^22 is the maximum possible.
kernel.pid_max = 4194303
# Randomize the address space our software is using to prevent some old
# shell exploits which rely on the usage of specific spaces.
kernel.randomize_va_space = 1
# The maximum number and size of semaphore sets that can be allocated.
kernel.sem = 250 32000 100 128
# The maximum amount of shared memory that can be allocated.
kernel.shmall = 2097152
# The maximum size of a shared memory segment.
kernel.shmmax = 2147483648
# The maximum number of shared memory segments.
kernel.shmmni = 4096
# Disable the magic SysRq key.
kernel.sysrq = 0
# ----------------------------------------------------------------------
# IPv4: Configuration for all Interfaces
# ----------------------------------------------------------------------
# Defines if our interfaces accept ICMP redirects. This is generally
# considered a security risk and should be turned off!
net.ipv4.conf.all.accept_redirects = 0
# Tells the kernel if it should allow source routed packets. This is
# generaly considered a security risk and should be turned off!
net.ipv4.conf.all.accept_source_route = 0
# Tells the kernel if it should be bound to a specific ARP address. This
# can be useful in load balancing situations, but generally it should be
# kept off.
net.ipv4.conf.all.arp_filter = 0
# This enables logging of all packets which contains impossible addresses
# to the kernel logging facility. Default is turned of and we do not
# bother to evaluate this data so we keep it turned off.
net.ipv4.conf.all.log_martians = 0
# Enable reserves patch filter on all our interfaces. This validates
# that the actual source address used by packets correlate properyl with
# our routing table, and that packets with this specfic source IP address
# are supposed to get their replis back through that interface again.
# This might be turned on on startup by default, check the rc.d scripts.
# If a server is connected to several routers this might lead to an
# unresponsive server because it simply drops any packets which will not
# be answered by the same router.
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 0
# ----------------------------------------------------------------------
# IPv4: Internet Control Message Protocol Configuration
# ----------------------------------------------------------------------
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# ----------------------------------------------------------------------
# IPv4: Internet Protocol Configuration
# ----------------------------------------------------------------------
# Required to enable IPv4 forwarding.
net.ipv4.ip_forward = 0
net.ipv4.ip_local_port_range = 1024 65536
# ----------------------------------------------------------------------
# IPv4: Transmission Control Protocol Configuration
# ----------------------------------------------------------------------
# The following explanation is taken from: http://fasterdata.es.net/host-tuning/linux/
#
# Linux supports pluggable congestion control algorithms. To get a list
# of congestion control algorithms that are available in your kernel
# (kernal 2.6.20+), run:
#
# sysctl net.ipv4.tcp_available_congestion_control
#
# If cubic and/or htcp are not listed try the following, as most
# distributions include them as loadable kernel modules:
#
# /sbin/modprobe tcp_htcp
# /sbin/modprobe tcp_cubic
#
# NOTE: There seem to be bugs in both bic and cubic for a number of
# versions of the Linux kernel up to version 2.6.33. We recommend using
# htcp with older kernels to be safe. To set the congestion control do:
#
# sysctl -w net.ipv4.tcp_congestion_control=htcp
#
# ----------------------------------------------------------------------
#
# We use TCP VEGAS because it's the best algorithm. Be sure to load it
# with:
#
# /sbin/modprobe tcp_vegas
net.ipv4.tcp_congestion_control = vegas
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_max_syn_backlog = 65536
# The defaults of this are just fine!
#net.ipv4.tcp_mem = 4096 87380 67108864
# Increase Linux autotuning TCP buffer limit.
net.ipv4.tcp_rmem = 4096 87380 67108864
net.ipv4.tcp_sack = 1
net.ipv4.tcp_synack_retries = 2
# This enables SYN flood protection. The SYN cookies activation allows
# our system to accept an unlimited number of TCP connections while
# still trying to give reasonable service during a denial of service
# attack.
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
# Increase Linux autotuning TCP buffer limit.
net.ipv4.tcp_wmem = 4096 65536 67108864
net.ipv4.route.flush = 1
net.ipv4.max_orphans = 5500
# ----------------------------------------------------------------------
# IPv6
# ----------------------------------------------------------------------
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.default.router_solicitations = 0
# ----------------------------------------------------------------------
# Net Core
# ----------------------------------------------------------------------
# Increase the length of the processor input queue.
net.core.netdev_max_backlog = 250000
net.core.optmem_max = 67108864
net.core.somaxconn = 65536
# Increase TCP max buffer size setable using setsockopt().
net.core.rmem_default = 67108864
net.core.rmem_max = 67108864
net.core.wmem_default = 67108864
net.core.wmem_max = 67108864
# ----------------------------------------------------------------------
# Misc
# ----------------------------------------------------------------------
fs.file-max = 262144
net.netfilter.nf_conntrack_max = 262144
net.netfilter.nf_conntrack_tcp_loose = 0
net.netfilter.nf_conntrack_acct = 0
vm.max_map_count = 262144
Jump to Line
Something went wrong with that request. Please try again.