Last active
January 12, 2018 20:38
-
-
Save stevenmunro/0dd09094065dc7d4ddfa847e8e540f79 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/sysctl.conf - Configuration file for setting system variables | |
| # See /etc/sysctl.d/ for additional system variables. | |
| # See sysctl.conf (5) for information. | |
| # | |
| #kernel.domainname = example.com | |
| # Uncomment the following to stop low-level messages on console | |
| #kernel.printk = 3 4 1 3 | |
| ##############################################################3 | |
| # Functions previously found in netbase | |
| # | |
| # Uncomment the next two lines to enable Spoof protection (reverse-path filter) | |
| # Turn on Source Address Verification in all interfaces to | |
| # prevent some spoofing attacks | |
| #net.ipv4.conf.default.rp_filter=1 | |
| #net.ipv4.conf.all.rp_filter=1 | |
| # Uncomment the next line to enable TCP/IP SYN cookies | |
| # See http://lwn.net/Articles/277146/ | |
| # Note: This may impact IPv6 TCP sessions too | |
| #net.ipv4.tcp_syncookies=1 | |
| # Uncomment the next line to enable packet forwarding for IPv4 | |
| #net.ipv4.ip_forward=1 | |
| # Uncomment the next line to enable packet forwarding for IPv6 | |
| # Enabling this option disables Stateless Address Autoconfiguration | |
| # based on Router Advertisements for this host | |
| #net.ipv6.conf.all.forwarding=1 | |
| ################################################################### | |
| # Additional settings - these settings can improve the network | |
| # security of the host and prevent against some network attacks | |
| # including spoofing attacks and man in the middle attacks through | |
| # redirection. Some network environments, however, require that these | |
| # settings are disabled so review and enable them as needed. | |
| # | |
| # Do not accept ICMP redirects (prevent MITM attacks) | |
| #net.ipv4.conf.all.accept_redirects = 0 | |
| #net.ipv6.conf.all.accept_redirects = 0 | |
| # _or_ | |
| # Accept ICMP redirects only for gateways listed in our default | |
| # gateway list (enabled by default) | |
| # net.ipv4.conf.all.secure_redirects = 1 | |
| # | |
| # Do not send ICMP redirects (we are not a router) | |
| #net.ipv4.conf.all.send_redirects = 0 | |
| # | |
| # Do not accept IP source route packets (we are not a router) | |
| #net.ipv4.conf.all.accept_source_route = 0 | |
| #net.ipv6.conf.all.accept_source_route = 0 | |
| # | |
| # Log Martian Packets | |
| #net.ipv4.conf.all.log_martians = 1 | |
| # | |
| ### IMPROVE SYSTEM MEMORY MANAGEMENT ### | |
| # Increase size of file handles and inode cache | |
| fs.file-max = 2097152 | |
| # Allow for more PIDs | |
| kernel.pid_max=65536 | |
| # Do less swapping | |
| vm.swappiness = 10 | |
| vm.dirty_ratio = 60 | |
| vm.dirty_background_ratio = 2 | |
| ### GENERAL NETWORK SECURITY OPTIONS ### | |
| # Number of times SYNACKs for passive TCP connection. | |
| net.ipv4.tcp_synack_retries = 2 | |
| # Allowed local port range | |
| net.ipv4.ip_local_port_range = 2000 65535 | |
| # Protect Against TCP Time-Wait | |
| net.ipv4.tcp_rfc1337 = 1 | |
| # Decrease the time default value for tcp_fin_timeout connection | |
| net.ipv4.tcp_fin_timeout = 15 | |
| # Decrease the time default value for connections to keep alive | |
| net.ipv4.tcp_keepalive_time = 300 | |
| net.ipv4.tcp_keepalive_probes = 5 | |
| net.ipv4.tcp_keepalive_intvl = 15 | |
| ### TUNING NETWORK PERFORMANCE ### | |
| # Default Socket Receive Buffer | |
| net.core.rmem_default = 31457280 | |
| # Maximum Socket Receive Buffer | |
| net.core.rmem_max = 12582912 | |
| # Default Socket Send Buffer | |
| net.core.wmem_default = 31457280 | |
| # Maximum Socket Send Buffer | |
| net.core.wmem_max = 12582912 | |
| # Increase number of incoming connections | |
| net.core.somaxconn = 4096 | |
| # Increase number of incoming connections backlog | |
| net.core.netdev_max_backlog = 65536 | |
| # Increase the maximum amount of option memory buffers | |
| net.core.optmem_max = 25165824 | |
| # Increase the maximum total buffer-space allocatable | |
| # This is measured in units of pages (4096 bytes) | |
| net.ipv4.tcp_mem = 65536 131072 262144 | |
| net.ipv4.udp_mem = 65536 131072 262144 | |
| # Increase the read-buffer space allocatable | |
| net.ipv4.tcp_rmem = 8192 87380 16777216 | |
| net.ipv4.udp_rmem_min = 16384 | |
| # Increase the write-buffer-space allocatable | |
| net.ipv4.tcp_wmem = 8192 65536 16777216 | |
| net.ipv4.udp_wmem_min = 16384 | |
| # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks | |
| net.ipv4.tcp_max_tw_buckets = 1440000 | |
| net.ipv4.tcp_tw_recycle = 1 | |
| net.ipv4.tcp_tw_reuse = 1 | |
| # Enable FastOpen in both directions | |
| net.ipv4.tcp_fastopen=3 | |
| # Enable syn cookies vs syn floods, RP filter | |
| net.ipv4.tcp_syncookies=1 | |
| net.ipv4.conf.all.rp_filter=1 | |
| # Increase the max backlog, syn tweaks | |
| net.core.netdev_max_backlog=2000 | |
| net.ipv4.tcp_max_syn_backlog=2048 | |
| net.ipv4.tcp_synack_retries=3 | |
| net.core.default_qdisc=fq | |
| net.ipv4.tcp_congestion_control=bbr |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment