About

This file is based on the work of Michiel Klaver and provides some optimisations for current Linux kernels. It should either replace /etc/sysctl.conf or placed at /etc/sysctl.d/local.conf on Debian-like Linux distributions.

In order to load the file without rebooting, one can issue:

sysctl --system

Code

local.conf
# Kernel sysctl configuration file for Linux
 
# These settings are meant for busy linux servers and not for DSL or Cable. The file is 
# based on the original provided by Michiel Klaver and includes additional optimizations 
# by the Wizardry and Steamworks group.
 
# The file should either replace /etc/sysctl.conf or, on Debian-like distributions, placed 
# at /etc/sysctl.d/local.conf and the distribution will load them on reboot or by issuing 
# sysctl --system
 
# Originally created by:
# Michiel Klaver - IT Professional
# Linux: http://klaver.it/linux/ 
# BSD: http://klaver.it/bsd/ for a BSD variant
 
# Credits:
# http://www.enigma.id.au/linux_tuning.txt
# http://www.securityfocus.com/infocus/1729
# http://fasterdata.es.net/TCP-tuning/linux.html
# http://fedorahosted.org/ktune/browser/sysctl.ktune
# http://www.cymru.com/Documents/ip-stack-tuning.html
# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
# http://knol.google.com/k/linux-performance-tuning-and-measurement
# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
# http://www.redbooks.ibm.com/abstracts/REDP4285.html
# http://www.speedguide.net/read_articles.php?id=121
# http://lartc.org/howto/lartc.kernel.obscure.html
# http://en.wikipedia.org/wiki/Sysctl
 
 
###
### GENERAL SYSTEM SECURITY OPTIONS ###
###
 
# Auto-reboot linux 30 seconds after a kernel panic
kernel.panic = 30
kernel.panic_on_oops = 30
kernel.printk = 3 4 1 3
 
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
 
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
 
# Allow for more PIDs
kernel.pid_max = 65536
 
# The contents of /proc/<pid>/maps and smaps files are only visible to
# readers that are allowed to ptrace() the process
#kernel.maps_protect = 1
 
#Enable ExecShield protection
#kernel.exec-shield = 1
kernel.randomize_va_space = 1
 
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
 
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
 
###
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
###
 
# Increase size of file handles and inode cache
fs.file-max = 209708
 
# CFS
kernel.sched_min_granularity_ns = 10000000
kernel.sched_wakeup_granularity_ns = 15000000
 
# HugePages
vm.nr_hugepages = 1024
vm.hugepages_treat_as_movable = 1
# vm.hugetlb_shm_group = 2021
 
# Do less swapping
#vm.swappiness = 10
vm.dirty_ratio = 40
#vm.dirty_background_ratio = 2
 
#vm.dirty_expire_centisecs = 1800
#vm.dirty_writeback_centisecs = 6000
 
#vm.dirty_writeback_centisecs=60000
#vm.dirty_expire_centisecs=120000
 
# specifies the minimum virtual address that a process is allowed to mmap
vm.mmap_min_addr = 4096
 
# No overcommitment of available memory
vm.overcommit_ratio = 0
vm.overcommit_memory = 0
 
# Set maximum amount of memory allocated to shm to 256MB
kernel.shmmax = 268435456
kernel.shmall = 268435456
 
# Keep at least 64MB of free RAM space available
vm.min_free_kbytes = 65536
 
###
### GENERAL NETWORK SECURITY OPTIONS ###
###
 
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
 
# Disables packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.default.forwarding = 1
 
# Disables IP source routing
net.ipv4.conf.all.send_redirects = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.accept_source_route = 1
net.ipv4.conf.default.accept_source_route = 1
net.ipv6.conf.all.accept_source_route = 1
net.ipv6.conf.default.accept_source_route = 1
 
# Enable IP spoofing protection, turn on source route verification
# Conflicts on bridges, disable.
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
 
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.default.accept_redirects = 1
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.default.accept_redirects = 1
 
# Disable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
 
# Time to hold socket in state FIN-WAIT-2,
# if it was closed by our side. Peer can be broken and never close its
# side, or even die unexpectedly. The default value is 60 seconds.
# Usual value used in 2.2 was 180 seconds, you may restore it, but
# remember that if your machine is even underloaded web server, you risk
# to overflow memory with lots of dead sockets. FIN-WAIT-2 sockets are
# less dangerous than FIN-WAIT-1, because they eat maximum 1.5 kilobytes
# of memory, but they tend to live longer.
net.ipv4.tcp_fin_timeout = 15
 
# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
 
# Don't relay bootp
net.ipv4.conf.all.bootp_relay = 0
 
# Don't proxy arp for anyone
net.ipv4.conf.all.proxy_arp = 1
 
# Turn on SACK
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
 
# Turn off FRTO for a server
net.ipv4.tcp_frto = 0
net.ipv4.tcp_frto_response = 0
 
# If enabled, assume that no receipt of a window-scaling option means that 
# the remote TCP is broken and treats the window as a signed quantity.
net.ipv4.tcp_workaround_signed_windows = 1
 
# Determine from MTU
net.ipv4.ip_no_pmtu_disc = 1
 
# Jumbo frames
net.ipv4.tcp_mtu_probing = 1
 
# Kernel 3.6+
#net.ipv4.tcp_fastopen = 1
# Turn on low latency (disable pre-queue)
net.ipv4.tcp_low_latency = 1
 
# Turn on the tcp_timestamps
net.ipv4.tcp_timestamps = 1
 
# Don't ignore directed pings
net.ipv4.icmp_echo_ignore_all = 0
 
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
 
# Allowed local port range
#net.ipv4.ip_local_port_range = 16384 65536
 
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
net.ipv4.tcp_rfc1337 = 1
 
###
### TUNING NETWORK PERFORMANCE ###
###
 
# Do a 'modprobe illinois' first
net.ipv4.tcp_congestion_control = illinois
 
# Increase port range
net.ipv4.ip_local_port_range = 1025 65535
 
# Turn on the tcp_window_scaling
net.ipv4.tcp_window_scaling = 1
 
# Disable netfilter on bridges
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-arptables = 1
 
# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
 
# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 262144
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 131072
net.core.rmem_max = 262144
 
# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 262144
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 131072
net.core.wmem_max = 262144
 
# Increase number of incoming connections
net.core.somaxconn = 32768
 
# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 32768
net.core.dev_weight = 64
 
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65536
 
# Increase the maximum number of skb-heads to be cached
#net.core.hot_list_length = 1024
 
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
# Allow to reuse TIME-WAIT sockets for new connections when it is safe
# from protocol viewpoint. The default value is 0
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
 
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
net.ipv4.tcp_max_orphans = 65536
net.ipv4.tcp_orphan_retries = 1
 
# Increase the maximum memory used to reassemble IP fragments
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
 
# This removes an odd behavior in the 2.6 kernels, whereby the kernel stores 
# the slow start threshold for a client between TCP sessions. This can cause 
# undesired results, as a single period of congestion can affect many 
# subsequent connections.
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
 
# Disable slow start (SPDY)
net.ipv4.tcp_slow_start_after_idle = 0
 
# Increase RPC slots
#sunrpc.tcp_slot_table_entries = 32
#sunrpc.udp_slot_table_entries = 32
 
# Increase size of RPC datagram queue length
net.unix.max_dgram_qlen = 50
 
# Don't allow the arp table to become bigger than this
net.ipv4.neigh.default.gc_thresh3 = 2048
 
# Tell the gc when to become aggressive with arp table cleaning.
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
net.ipv4.neigh.default.gc_thresh2 = 1024
 
# Adjust where the gc will leave arp table alone - set to 32.
net.ipv4.neigh.default.gc_thresh1 = 32
 
# Adjust to arp table gc to clean-up more often
net.ipv4.neigh.default.gc_interval = 30
 
# Increase TCP queue length
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
 
# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
net.ipv4.tcp_ecn = 1
#net.ipv4.tcp_ecn = 2
net.ipv4.tcp_reordering = 3
 
# How many times to retry killing an alive TCP connection
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
 
# This will enusre that immediatly subsequent connections use the new values
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1

assets/databases/unix/sysctl/linux.txt ยท Last modified: 2017/02/22 18:30 (external edit)

Access website using Tor Access website using i2p


For the copyright, license, warranty and privacy terms for the usage of this website please see the license, privacy and plagiarism pages.