sokratisg · January 5, 2024 00:03 · huazhouji · Dec 31, 2016
diff --git a/sysctl.conf b/sysctl.conf
 # Kernel sysctl configuration file for Red Hat Linux
 #
 # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
 # sysctl.conf(5) for more details.

 # Turn on execshield
 # 0 completely disables ExecShield and Address Space Layout Randomization
 # 1 enables them ONLY if the application bits for these protections are set to “enable”
 # 2 enables them by default, except if the application bits are set to “disable”
 # 3 enables them always, whatever the application bits
 kernel.exec-shield = 2
 kernel.randomize_va_space = 2

 # Controls IP packet forwarding
 net.ipv4.ip_forward = 0

 # Controls source route verification
 net.ipv4.conf.default.rp_filter = 1

 # Do not accept source routing
 net.ipv4.conf.default.accept_source_route = 0

 # Ignoring broadcasts request
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_responses = 1

 # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0

 # Controls whether core dumps will append the PID to the core filename.
 # Useful for debugging multi-threaded applications.
 kernel.core_uses_pid = 1

 # Controls the use of TCP syncookies
 net.ipv4.tcp_syncookies = 1

 # Disable netfilter on bridges.
 #net.bridge.bridge-nf-call-ip6tables = 0
 #net.bridge.bridge-nf-call-iptables = 0
 #net.bridge.bridge-nf-call-arptables = 0

 # Controls the default maxmimum size of a mesage queue
 kernel.msgmnb = 65536

 # Controls the maximum size of a message, in bytes
 kernel.msgmax = 65536

 # Controls the maximum shared segment size, in bytes
 kernel.shmmax = 68719476736

 # Controls the maximum number of shared memory segments, in pages
 kernel.shmall = 4294967296


 # See also http://www.nateware.com/linux-network-tuning-for-2013.html for
 # an explanation about some of these parameters, and instructions for
 # a few other tweaks outside this file.

 # Protection from SYN flood attack.
 net.ipv4.tcp_syncookies = 1

 # See evil packets in your logs.
 net.ipv4.conf.all.log_martians = 0

 # Discourage Linux from swapping idle server processes to disk (default = 60)
 vm.swappiness = 5

 # Tweak how the flow of kernel messages is throttled.
 #kernel.printk_ratelimit_burst = 10
 #kernel.printk_ratelimit = 5

 # --------------------------------------------------------------------
 # The following allow the server to handle lots of connection requests
 # --------------------------------------------------------------------

 # Increase number of incoming connections that can queue up
 # before dropping
 net.core.somaxconn = 50000

 # Handle SYN floods and large numbers of valid HTTPS connections
 net.ipv4.tcp_max_syn_backlog = 30000

 # Increase the length of the network device input queue
 net.core.netdev_max_backlog = 20000

 # Increase system file descriptor limit so we will (probably)
 # never run out under lots of concurrent requests.
 # (Per-process limit is set in /etc/security/limits.conf)
 fs.file-max = 100000

 # Widen the port range used for outgoing connections
 net.ipv4.ip_local_port_range = 10000 65000

 # If your servers talk UDP, also up these limits
 net.ipv4.udp_rmem_min = 8192
 net.ipv4.udp_wmem_min = 8192

 # --------------------------------------------------------------------
 # The following help the server efficiently pipe large amounts of data
 # --------------------------------------------------------------------

 # Disable source routing and redirects
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.accept_source_route = 0

 # Disable packet forwarding.
 net.ipv4.ip_forward = 0
 net.ipv6.conf.all.forwarding = 0

 # Disable TCP slow start on idle connections
 net.ipv4.tcp_slow_start_after_idle = 0

 # Turn on the tcp_window_scaling
 net.ipv4.tcp_window_scaling = 1

 # Turn on the tcp_timestamps
 net.ipv4.tcp_timestamps = 1

 # Turn on the tcp_sack
 net.ipv4.tcp_sack = 1

 # Change Congestion Control (default: reno)
 net.ipv4.tcp_congestion_control=htcp

 # Increase Linux autotuning TCP buffer limits
 # Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
 # Don't set tcp_mem itself! Let the kernel scale it based on RAM.
 net.core.rmem_max = 16777216
 net.core.wmem_max = 16777216
 net.core.rmem_default = 16777216
 net.core.wmem_default = 16777216
 net.core.optmem_max = 40960
 net.ipv4.tcp_rmem = 4096 87380 16777216
 net.ipv4.tcp_wmem = 4096 87380 16777216


 # --------------------------------------------------------------------
 # The following allow the server to handle lots of connection churn
 # --------------------------------------------------------------------

 # Disconnect dead TCP connections after 1 minute
 net.ipv4.tcp_keepalive_time = 60

 # Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
 # any remaining packets in the network.
 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10

 # How long to keep ESTABLISHED connections in conntrack table
 # Should be higher than tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl )
 net.netfilter.nf_conntrack_tcp_timeout_established = 300
 net.netfilter.nf_conntrack_generic_timeout = 300

 # Allow a high number of timewait sockets
 net.ipv4.tcp_max_tw_buckets = 2000000

 # Timeout broken connections faster (amount of time to wait for FIN)
 net.ipv4.tcp_fin_timeout = 10

 # Let the networking stack reuse TIME_WAIT connections when it thinks it's safe to do so
 net.ipv4.tcp_tw_reuse = 1

 # Determines the wait time between isAlive interval probes (reduce from 75 sec to 15)
 net.ipv4.tcp_keepalive_intvl = 15

 # Determines the number of probes before timing out (reduce from 9 sec to 5 sec)
 net.ipv4.tcp_keepalive_probes = 5

 # -------------------------------------------------------------
	# Kernel sysctl configuration file for Red Hat Linux
	#
	# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
	# sysctl.conf(5) for more details.

	# Turn on execshield
	# 0 completely disables ExecShield and Address Space Layout Randomization
	# 1 enables them ONLY if the application bits for these protections are set to “enable”
	# 2 enables them by default, except if the application bits are set to “disable”
	# 3 enables them always, whatever the application bits
	kernel.exec-shield = 2
	kernel.randomize_va_space = 2

	# Controls IP packet forwarding
	net.ipv4.ip_forward = 0

	# Controls source route verification
	net.ipv4.conf.default.rp_filter = 1

	# Do not accept source routing
	net.ipv4.conf.default.accept_source_route = 0

	# Ignoring broadcasts request
	net.ipv4.icmp_echo_ignore_broadcasts = 1
	net.ipv4.icmp_ignore_bogus_error_responses = 1

	# Controls the System Request debugging functionality of the kernel
	kernel.sysrq = 0

	# Controls whether core dumps will append the PID to the core filename.
	# Useful for debugging multi-threaded applications.
	kernel.core_uses_pid = 1

	# Controls the use of TCP syncookies
	net.ipv4.tcp_syncookies = 1

	# Disable netfilter on bridges.
	#net.bridge.bridge-nf-call-ip6tables = 0
	#net.bridge.bridge-nf-call-iptables = 0
	#net.bridge.bridge-nf-call-arptables = 0

	# Controls the default maxmimum size of a mesage queue
	kernel.msgmnb = 65536

	# Controls the maximum size of a message, in bytes
	kernel.msgmax = 65536

	# Controls the maximum shared segment size, in bytes
	kernel.shmmax = 68719476736

	# Controls the maximum number of shared memory segments, in pages
	kernel.shmall = 4294967296


	# See also http://www.nateware.com/linux-network-tuning-for-2013.html for
	# an explanation about some of these parameters, and instructions for
	# a few other tweaks outside this file.

	# Protection from SYN flood attack.
	net.ipv4.tcp_syncookies = 1

	# See evil packets in your logs.
	net.ipv4.conf.all.log_martians = 0

	# Discourage Linux from swapping idle server processes to disk (default = 60)
	vm.swappiness = 5

	# Tweak how the flow of kernel messages is throttled.
	#kernel.printk_ratelimit_burst = 10
	#kernel.printk_ratelimit = 5

	# --------------------------------------------------------------------
	# The following allow the server to handle lots of connection requests
	# --------------------------------------------------------------------

	# Increase number of incoming connections that can queue up
	# before dropping
	net.core.somaxconn = 50000

	# Handle SYN floods and large numbers of valid HTTPS connections
	net.ipv4.tcp_max_syn_backlog = 30000

	# Increase the length of the network device input queue
	net.core.netdev_max_backlog = 20000

	# Increase system file descriptor limit so we will (probably)
	# never run out under lots of concurrent requests.
	# (Per-process limit is set in /etc/security/limits.conf)
	fs.file-max = 100000

	# Widen the port range used for outgoing connections
	net.ipv4.ip_local_port_range = 10000 65000

	# If your servers talk UDP, also up these limits
	net.ipv4.udp_rmem_min = 8192
	net.ipv4.udp_wmem_min = 8192

	# --------------------------------------------------------------------
	# The following help the server efficiently pipe large amounts of data
	# --------------------------------------------------------------------

	# Disable source routing and redirects
	net.ipv4.conf.all.send_redirects = 0
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.all.accept_source_route = 0

	# Disable packet forwarding.
	net.ipv4.ip_forward = 0
	net.ipv6.conf.all.forwarding = 0

	# Disable TCP slow start on idle connections
	net.ipv4.tcp_slow_start_after_idle = 0

	# Turn on the tcp_window_scaling
	net.ipv4.tcp_window_scaling = 1

	# Turn on the tcp_timestamps
	net.ipv4.tcp_timestamps = 1

	# Turn on the tcp_sack
	net.ipv4.tcp_sack = 1

	# Change Congestion Control (default: reno)
	net.ipv4.tcp_congestion_control=htcp

	# Increase Linux autotuning TCP buffer limits
	# Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
	# Don't set tcp_mem itself! Let the kernel scale it based on RAM.
	net.core.rmem_max = 16777216
	net.core.wmem_max = 16777216
	net.core.rmem_default = 16777216
	net.core.wmem_default = 16777216
	net.core.optmem_max = 40960
	net.ipv4.tcp_rmem = 4096 87380 16777216
	net.ipv4.tcp_wmem = 4096 87380 16777216


	# --------------------------------------------------------------------
	# The following allow the server to handle lots of connection churn
	# --------------------------------------------------------------------

	# Disconnect dead TCP connections after 1 minute
	net.ipv4.tcp_keepalive_time = 60

	# Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
	# any remaining packets in the network.
	net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10

	# How long to keep ESTABLISHED connections in conntrack table
	# Should be higher than tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl )
	net.netfilter.nf_conntrack_tcp_timeout_established = 300
	net.netfilter.nf_conntrack_generic_timeout = 300

	# Allow a high number of timewait sockets
	net.ipv4.tcp_max_tw_buckets = 2000000

	# Timeout broken connections faster (amount of time to wait for FIN)
	net.ipv4.tcp_fin_timeout = 10

	# Let the networking stack reuse TIME_WAIT connections when it thinks it's safe to do so
	net.ipv4.tcp_tw_reuse = 1

	# Determines the wait time between isAlive interval probes (reduce from 75 sec to 15)
	net.ipv4.tcp_keepalive_intvl = 15

	# Determines the number of probes before timing out (reduce from 9 sec to 5 sec)
	net.ipv4.tcp_keepalive_probes = 5

	# -------------------------------------------------------------