# Linux kernel tweaking for performance and security on a busy Linux # server with a decent amount of memory. # # This file should be saved as /etc/sysctl.conf # You can source it manually if your system has booted by using: # sysctl -e -p /etc/sysctl.conf # # Paul Day, paul (at) bur.st # # Last updated 02/03/05 and tested on 2.6.9 # # Increase RPC slots sunrpc.tcp_slot_table_entries = 32 sunrpc.udp_slot_table_entries = 32 # Increase size of RPC datagram queue length net.unix.max_dgram_qlen = 50 # Log spoofed, source routed and redirects net.ipv4.conf.default.log_martians = 1 # Don't accept source routes net.ipv4.conf.default.accept_source_route = 0 # Don't send redirects net.ipv4.conf.default.send_redirects = 0 # Source route verification on - incoming packets must match outgoing routing net.ipv4.conf.default.rp_filter = 1 # Don't accept redirects net.ipv4.conf.default.accept_redirects = 0 # Don't forward source routes net.ipv4.conf.default.mc_forwarding = 0 # Disable forwarding net.ipv4.conf.default.forwarding = 0 # Log spoofed, source routed and redirects net.ipv4.conf.all.log_martians = 1 # Don't relay bootp net.ipv4.conf.all.bootp_relay = 0 # Don't proxy arp for anyone net.ipv4.conf.all.proxy_arp = 0 # Don't accept source route packets net.ipv4.conf.all.accept_source_route = 0 # Don't send redirects net.ipv4.conf.all.send_redirects = 0 # Source route verification on - incoming packets must match outgoing routing net.ipv4.conf.all.rp_filter = 1 # Don't accept redirects net.ipv4.conf.all.accept_redirects = 0 # Don't forward source routes net.ipv4.conf.all.mc_forwarding = 0 # Don't enable forwarding net.ipv4.conf.all.forwarding = 0 # Don't allow the arp table to become bigger than this net.ipv4.neigh.default.gc_thresh3 = 2048 # Tell the gc when to become aggressive with arp table cleaning. # Adjust this based on size of the LAN. 256 is suitable for most net.ipv4.neigh.default.gc_thresh2 = 1024 # Adjust where the gc will leave arp table alone - set to 32. net.ipv4.neigh.default.gc_thresh1 = 32 # Adjust to arp table gc to clean-up more often net.ipv4.neigh.default.gc_interval = 30 # Increase TCP net.ipv4.neigh.default.proxy_qlen = 96 net.ipv4.neigh.default.unres_qlen = 6 # Increase size of socket buffers net.ipv4.tcp_rmem = 4096 98304 349520 net.ipv4.tcp_wmem = 4096 65535 262142 net.ipv4.tcp_mem = 98304 262142 393216 # Turn off sack net.ipv4.tcp_dsack = 0 # Don't use ECN because too many sites have wacky routers that can't handle it` net.ipv4.tcp_ecn = 0 net.ipv4.tcp_reordering = 3 # Turn off sack/fack net.ipv4.tcp_fack = 0 # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignore broadcasts pings, could become part of a Smurf net.ipv4.icmp_echo_ignore_broadcasts = 1 # But don't ignore directed pings net.ipv4.icmp_echo_ignore_all = 0 # Widen local port range net.ipv4.ip_local_port_range = 33000 60000 # Bump up TCP socket queuer to help with syn floods net.ipv4.tcp_max_syn_backlog = 2048 # Turn syn-cookie protection on net.ipv4.tcp_syncookies = 1 # Drop it so lack of FIN times out quicker net.ipv4.tcp_fin_timeout = 30 # How many times to retry killing an alive TCP connection net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_retries1 = 3 # Enable a fix for RFC1337 - time-wait assassination hazards in TCP net.ipv4.tcp_rfc1337 = 1 # Drop keep-alive time net.ipv4.tcp_keepalive_time = 3600 # Set number of times to retry a SYN-ACK in a half-open new connections net.ipv4.tcp_synack_retries = 5 # Set number of times to retry SYN in a new connection net.ipv4.tcp_syn_retries = 5 # Turn off sack net.ipv4.tcp_sack = 0 # Enable really big (>65kB) TCP window scaling if we want it. net.ipv4.tcp_window_scaling = 1 # Turn off timestamps # Turn this back on if you're on a gigabit or very busy network # Having it off is one less thing the IP stack needs to work on net.ipv4.tcp_timestamps = 0 # Increase number of incoming connections backlog net.core.somaxconn = 512 # Bump optmem_max up net.core.optmem_max = 20480 # Increase number of incoming connections backlog net.core.netdev_max_backlog = 1024 net.core.dev_weight = 64 # Bump up default r/wmem to max net.core.rmem_default = 262141 net.core.wmem_default = 262141 # Bump up max r/wmem net.core.rmem_max = 262141 net.core.wmem_max = 262141 # Increase size of file handles and inode cache fs.file-max = 209708