dkulagin · February 1, 2018 20:50
diff --git a/sysctl.conf b/sysctl.conf
 # Kernel sysctl configuration file for Linux
 #
 # This file should be saved as /etc/sysctl.conf and can be activated using the command:
 # sysctl -e -p /etc/sysctl.conf
 #
 # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and sysctl.conf(5) for more details.
 # ----------
 # Credits:
 # https://klaver.it/linux/sysctl.conf
 # http://whatizee.blogspot.com/2015/02/webserverftpserver-sysctlconf-parameter.html
 # https://easyengine.io/tutorials/linux/sysctl-conf/

 ###
 ### GENERAL SYSTEM SECURITY OPTIONS ###
 ###

 # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0

 # Controls whether core dumps will append the PID to the core filename.
 # Useful for debugging multi-threaded applications.
 kernel.core_uses_pid = 1

 #Allow for more PIDs
 kernel.pid_max = 65535

 #Enable ExecShield protection
 # kernel.exec-shield = 1
 kernel.randomize_va_space = 2

 # Controls the maximum size of a message, in bytes
 kernel.msgmnb = 65535

 # Controls the default maxmimum size of a mesage queue
 kernel.msgmax = 65535

 # Restrict core dumps
 fs.suid_dumpable = 0

 # Hide exposed kernel pointers
 kernel.kptr_restrict = 1

 ###
 ### IMPROVE SYSTEM MEMORY MANAGEMENT ###
 ###

 # Increase size of file handles and inode cache
 fs.file-max = 2097152
 fs.inotify.max_queued_events=2000000
 fs.inotify.max_user_instances=512
 fs.inotify.max_user_watches=4000000

 # Do less swapping
 vm.dirty_ratio = 60
 vm.swappiness = 10
 vm.dirty_background_ratio = 2

 # specifies the minimum virtual address that a process is allowed to mmap
 vm.mmap_min_addr = 4096

 # Keep at least 64MB of free RAM space available
 vm.min_free_kbytes = 65535

 ###
 ### GENERAL NETWORK SECURITY OPTIONS ###
 ###

 #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
 net.ipv4.tcp_syncookies = 1
 net.ipv4.tcp_syn_retries = 2
 net.ipv4.tcp_synack_retries = 2
 net.ipv4.tcp_max_syn_backlog = 4096

 # Disables packet forwarding
 net.ipv4.ip_forward = 0
 net.ipv4.conf.all.forwarding = 0
 net.ipv4.conf.default.forwarding = 0
 net.ipv6.conf.all.forwarding = 0
 net.ipv6.conf.default.forwarding = 0

 # Disables IP source routing
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv6.conf.all.accept_source_route = 0
 net.ipv6.conf.default.accept_source_route = 0

 # Enable IP spoofing protection, turn on source route verification
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1

 # Disable ICMP Redirect Acceptance
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0

 # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.log_martians = 1

 # Decrease the time default value for tcp_fin_timeout connection
 net.ipv4.tcp_fin_timeout = 7

 # Decrease the time default value for connections to keep alive
 net.ipv4.tcp_keepalive_time = 300
 net.ipv4.tcp_keepalive_probes = 5
 net.ipv4.tcp_keepalive_intvl = 15

 # Don't relay bootp
 net.ipv4.conf.all.bootp_relay = 0

 # Don't proxy arp for anyone
 net.ipv4.conf.all.proxy_arp = 0

 # Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
 net.ipv4.tcp_timestamps = 1

 # Don't ignore directed pings
 net.ipv4.icmp_echo_ignore_all = 0

 # Enable ignoring broadcasts request
 net.ipv4.icmp_echo_ignore_broadcasts = 1

 # Enable bad error message Protection
 net.ipv4.icmp_ignore_bogus_error_responses = 1

 # Allowed local port range
 net.ipv4.ip_local_port_range = 16384 65535

 # Enable a fix for RFC1337 - time-wait assassination hazards in TCP
 net.ipv4.tcp_rfc1337 = 1

 # Do not auto-configure IPv6
 net.ipv6.conf.all.autoconf=0
 net.ipv6.conf.all.accept_ra=0
 net.ipv6.conf.default.autoconf=0
 net.ipv6.conf.default.accept_ra=0

 ###
 ### TUNING NETWORK PERFORMANCE ###
 ###

 # Turn on the tcp_window_scaling
 net.ipv4.tcp_window_scaling = 1

 # Default Socket Receive Buffer
 net.core.rmem_default = 31457280

 # Maximum Socket Receive Buffer
 net.core.rmem_max = 12582912

 # Default Socket Send Buffer
 net.core.wmem_default = 31457280

 # Maximum Socket Send Buffer
 net.core.wmem_max = 12582912

 # Increase number of incoming connections
 net.core.somaxconn = 4096

 # Increase number of incoming connections backlog
 net.core.netdev_max_backlog = 65536

 # Increase the maximum amount of option memory buffers
 net.core.optmem_max = 25165824

 # Increase the maximum total buffer-space allocatable
 # This is measured in units of pages (4096 bytes)
 net.ipv4.tcp_mem = 65536 131072 262144
 net.ipv4.udp_mem = 65536 131072 262144

 # Increase the read-buffer space allocatable
 net.ipv4.tcp_rmem = 8192 87380 16777216
 net.ipv4.udp_rmem_min = 16384

 # Increase the write-buffer-space allocatable
 net.ipv4.tcp_wmem = 8192 65536 16777216
 net.ipv4.udp_wmem_min = 16384


 # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
 net.ipv4.tcp_max_tw_buckets = 1440000

 # try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
 net.ipv4.tcp_tw_recycle = 0
 net.ipv4.tcp_tw_reuse = 1

 # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
 net.ipv4.tcp_max_orphans = 16384
 net.ipv4.tcp_orphan_retries = 0

 # don't cache ssthresh from previous connection
 net.ipv4.tcp_no_metrics_save = 1
 net.ipv4.tcp_moderate_rcvbuf = 1

 # Increase size of RPC datagram queue length
 net.unix.max_dgram_qlen = 50

 # Don't allow the arp table to become bigger than this
 net.ipv4.neigh.default.gc_thresh3 = 2048

 # Tell the gc when to become aggressive with arp table cleaning.
 # Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
 net.ipv4.neigh.default.gc_thresh2 = 1024

 # Adjust where the gc will leave arp table alone - set to 32.
 net.ipv4.neigh.default.gc_thresh1 = 32

 # Adjust to arp table gc to clean-up more often
 net.ipv4.neigh.default.gc_interval = 30

 # Increase TCP queue length
 net.ipv4.neigh.default.proxy_qlen = 96
 net.ipv4.neigh.default.unres_qlen = 6

 # Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
 net.ipv4.tcp_ecn = 1
 net.ipv4.tcp_reordering = 3

 # How many times to retry killing an alive TCP connection
 net.ipv4.tcp_retries2 = 15
 net.ipv4.tcp_retries1 = 3

 # Avoid falling back to slow start after a connection goes idle
 # keeps our cwnd large with the keep alive connections (kernel > 3.6)
 net.ipv4.tcp_slow_start_after_idle = 0

 # This will enusre that immediatly subsequent connections use the new values
 net.ipv4.route.flush = 1
 net.ipv6.route.flush = 1
	# Kernel sysctl configuration file for Linux
	#
	# This file should be saved as /etc/sysctl.conf and can be activated using the command:
	# sysctl -e -p /etc/sysctl.conf
	#
	# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details.
	# ----------
	# Credits:
	# https://klaver.it/linux/sysctl.conf
	# http://whatizee.blogspot.com/2015/02/webserverftpserver-sysctlconf-parameter.html
	# https://easyengine.io/tutorials/linux/sysctl-conf/

	###
	### GENERAL SYSTEM SECURITY OPTIONS ###
	###

	# Controls the System Request debugging functionality of the kernel
	kernel.sysrq = 0

	# Controls whether core dumps will append the PID to the core filename.
	# Useful for debugging multi-threaded applications.
	kernel.core_uses_pid = 1

	#Allow for more PIDs
	kernel.pid_max = 65535

	#Enable ExecShield protection
	# kernel.exec-shield = 1
	kernel.randomize_va_space = 2

	# Controls the maximum size of a message, in bytes
	kernel.msgmnb = 65535

	# Controls the default maxmimum size of a mesage queue
	kernel.msgmax = 65535

	# Restrict core dumps
	fs.suid_dumpable = 0

	# Hide exposed kernel pointers
	kernel.kptr_restrict = 1

	###
	### IMPROVE SYSTEM MEMORY MANAGEMENT ###
	###

	# Increase size of file handles and inode cache
	fs.file-max = 2097152
	fs.inotify.max_queued_events=2000000
	fs.inotify.max_user_instances=512
	fs.inotify.max_user_watches=4000000

	# Do less swapping
	vm.dirty_ratio = 60
	vm.swappiness = 10
	vm.dirty_background_ratio = 2

	# specifies the minimum virtual address that a process is allowed to mmap
	vm.mmap_min_addr = 4096

	# Keep at least 64MB of free RAM space available
	vm.min_free_kbytes = 65535

	###
	### GENERAL NETWORK SECURITY OPTIONS ###
	###

	#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
	net.ipv4.tcp_syncookies = 1
	net.ipv4.tcp_syn_retries = 2
	net.ipv4.tcp_synack_retries = 2
	net.ipv4.tcp_max_syn_backlog = 4096

	# Disables packet forwarding
	net.ipv4.ip_forward = 0
	net.ipv4.conf.all.forwarding = 0
	net.ipv4.conf.default.forwarding = 0
	net.ipv6.conf.all.forwarding = 0
	net.ipv6.conf.default.forwarding = 0

	# Disables IP source routing
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.default.send_redirects = 0
	net.ipv4.conf.all.accept_source_route = 0
	net.ipv4.conf.default.accept_source_route = 0
	net.ipv6.conf.all.accept_source_route = 0
	net.ipv6.conf.default.accept_source_route = 0

	# Enable IP spoofing protection, turn on source route verification
	net.ipv4.conf.all.rp_filter = 1
	net.ipv4.conf.default.rp_filter = 1

	# Disable ICMP Redirect Acceptance
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.default.accept_redirects = 0
	net.ipv4.conf.all.secure_redirects = 0
	net.ipv4.conf.default.secure_redirects = 0
	net.ipv6.conf.all.accept_redirects = 0
	net.ipv6.conf.default.accept_redirects = 0

	# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
	net.ipv4.conf.all.log_martians = 1
	net.ipv4.conf.default.log_martians = 1

	# Decrease the time default value for tcp_fin_timeout connection
	net.ipv4.tcp_fin_timeout = 7

	# Decrease the time default value for connections to keep alive
	net.ipv4.tcp_keepalive_time = 300
	net.ipv4.tcp_keepalive_probes = 5
	net.ipv4.tcp_keepalive_intvl = 15

	# Don't relay bootp
	net.ipv4.conf.all.bootp_relay = 0

	# Don't proxy arp for anyone
	net.ipv4.conf.all.proxy_arp = 0

	# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
	net.ipv4.tcp_timestamps = 1

	# Don't ignore directed pings
	net.ipv4.icmp_echo_ignore_all = 0

	# Enable ignoring broadcasts request
	net.ipv4.icmp_echo_ignore_broadcasts = 1

	# Enable bad error message Protection
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Allowed local port range
	net.ipv4.ip_local_port_range = 16384 65535

	# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
	net.ipv4.tcp_rfc1337 = 1

	# Do not auto-configure IPv6
	net.ipv6.conf.all.autoconf=0
	net.ipv6.conf.all.accept_ra=0
	net.ipv6.conf.default.autoconf=0
	net.ipv6.conf.default.accept_ra=0

	###
	### TUNING NETWORK PERFORMANCE ###
	###

	# Turn on the tcp_window_scaling
	net.ipv4.tcp_window_scaling = 1

	# Default Socket Receive Buffer
	net.core.rmem_default = 31457280

	# Maximum Socket Receive Buffer
	net.core.rmem_max = 12582912

	# Default Socket Send Buffer
	net.core.wmem_default = 31457280

	# Maximum Socket Send Buffer
	net.core.wmem_max = 12582912

	# Increase number of incoming connections
	net.core.somaxconn = 4096

	# Increase number of incoming connections backlog
	net.core.netdev_max_backlog = 65536

	# Increase the maximum amount of option memory buffers
	net.core.optmem_max = 25165824

	# Increase the maximum total buffer-space allocatable
	# This is measured in units of pages (4096 bytes)
	net.ipv4.tcp_mem = 65536 131072 262144
	net.ipv4.udp_mem = 65536 131072 262144

	# Increase the read-buffer space allocatable
	net.ipv4.tcp_rmem = 8192 87380 16777216
	net.ipv4.udp_rmem_min = 16384

	# Increase the write-buffer-space allocatable
	net.ipv4.tcp_wmem = 8192 65536 16777216
	net.ipv4.udp_wmem_min = 16384


	# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
	net.ipv4.tcp_max_tw_buckets = 1440000

	# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
	net.ipv4.tcp_tw_recycle = 0
	net.ipv4.tcp_tw_reuse = 1

	# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
	net.ipv4.tcp_max_orphans = 16384
	net.ipv4.tcp_orphan_retries = 0

	# don't cache ssthresh from previous connection
	net.ipv4.tcp_no_metrics_save = 1
	net.ipv4.tcp_moderate_rcvbuf = 1

	# Increase size of RPC datagram queue length
	net.unix.max_dgram_qlen = 50

	# Don't allow the arp table to become bigger than this
	net.ipv4.neigh.default.gc_thresh3 = 2048

	# Tell the gc when to become aggressive with arp table cleaning.
	# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
	net.ipv4.neigh.default.gc_thresh2 = 1024

	# Adjust where the gc will leave arp table alone - set to 32.
	net.ipv4.neigh.default.gc_thresh1 = 32

	# Adjust to arp table gc to clean-up more often
	net.ipv4.neigh.default.gc_interval = 30

	# Increase TCP queue length
	net.ipv4.neigh.default.proxy_qlen = 96
	net.ipv4.neigh.default.unres_qlen = 6

	# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
	net.ipv4.tcp_ecn = 1
	net.ipv4.tcp_reordering = 3

	# How many times to retry killing an alive TCP connection
	net.ipv4.tcp_retries2 = 15
	net.ipv4.tcp_retries1 = 3

	# Avoid falling back to slow start after a connection goes idle
	# keeps our cwnd large with the keep alive connections (kernel > 3.6)
	net.ipv4.tcp_slow_start_after_idle = 0

	# This will enusre that immediatly subsequent connections use the new values
	net.ipv4.route.flush = 1
	net.ipv6.route.flush = 1