ram-pi · May 19, 2023 16:29 · Nov 13, 2014 · Oct 11, 2014 · Sep 5, 2014 · Sep 4, 2014
diff --git a/sysctl.conf b/sysctl.conf
@@ -4,8 +4,12 @@
 # sysctl.conf(5) for more details.
 
 # Turn on execshield
-kernel.exec-shield = 1
-kernel.randomize_va_space = 1
+# 0 completely disables ExecShield and Address Space Layout Randomization
+# 1 enables them ONLY if the application bits for these protections are set to “enable”
+# 2 enables them by default, except if the application bits are set to “disable”
+# 3 enables them always, whatever the application bits
+kernel.exec-shield = 2
+kernel.randomize_va_space = 2
 
 # Controls IP packet forwarding
 net.ipv4.ip_forward = 0

diff --git a/sysctl.conf b/sysctl.conf
@@ -3,6 +3,10 @@
 # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
 # sysctl.conf(5) for more details.
 
+# Turn on execshield
+kernel.exec-shield = 1
+kernel.randomize_va_space = 1
+
 # Controls IP packet forwarding
 net.ipv4.ip_forward = 0
 
@@ -12,6 +16,10 @@ net.ipv4.conf.default.rp_filter = 1
 # Do not accept source routing
 net.ipv4.conf.default.accept_source_route = 0
 
+# Ignoring broadcasts request
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
 # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0
 

diff --git a/sysctl.conf b/sysctl.conf
@@ -51,7 +51,7 @@ net.ipv4.tcp_syncookies = 1
 net.ipv4.conf.all.log_martians = 0
 
 # Discourage Linux from swapping idle server processes to disk (default = 60)
-vm.swappiness = 10
+vm.swappiness = 5
 
 # Tweak how the flow of kernel messages is throttled.
 #kernel.printk_ratelimit_burst = 10

diff --git a/sysctl.conf b/sysctl.conf
@@ -99,6 +99,18 @@ net.ipv6.conf.all.forwarding = 0
 # Disable TCP slow start on idle connections
 net.ipv4.tcp_slow_start_after_idle = 0
 
+# Turn on the tcp_window_scaling
+net.ipv4.tcp_window_scaling = 1
+
+# Turn on the tcp_timestamps
+net.ipv4.tcp_timestamps = 1
+
+# Turn on the tcp_sack
+net.ipv4.tcp_sack = 1
+
+# Change Congestion Control (default: reno)
+net.ipv4.tcp_congestion_control=htcp
+
 # Increase Linux autotuning TCP buffer limits
 # Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
 # Don't set tcp_mem itself! Let the kernel scale it based on RAM.

diff --git a/sysctl.conf b/sysctl.conf
@@ -69,7 +69,7 @@ net.core.somaxconn = 50000
 net.ipv4.tcp_max_syn_backlog = 30000
 
 # Increase the length of the network device input queue
-net.core.netdev_max_backlog = 10000
+net.core.netdev_max_backlog = 20000
 
 # Increase system file descriptor limit so we will (probably)
 # never run out under lots of concurrent requests.
@@ -84,7 +84,7 @@ net.ipv4.udp_rmem_min = 8192
 net.ipv4.udp_wmem_min = 8192
 
 # --------------------------------------------------------------------
-# The following help the server efficiently pipe large amounts of data 
+# The following help the server efficiently pipe large amounts of data
 # --------------------------------------------------------------------
 
 # Disable source routing and redirects
@@ -119,7 +119,7 @@ net.ipv4.tcp_wmem = 4096 87380 16777216
 net.ipv4.tcp_keepalive_time = 60
 
 # Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
-# any remaining packets in the network. 
+# any remaining packets in the network.
 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
 
 # How long to keep ESTABLISHED connections in conntrack table
@@ -134,7 +134,7 @@ net.ipv4.tcp_max_tw_buckets = 2000000
 net.ipv4.tcp_fin_timeout = 10
 
 # Let the networking stack reuse TIME_WAIT connections when it thinks it's safe to do so
-# net.ipv4.tcp_tw_reuse = 1
+net.ipv4.tcp_tw_reuse = 1
 
 # Determines the wait time between isAlive interval probes (reduce from 75 sec to 15)
 net.ipv4.tcp_keepalive_intvl = 15

diff --git a/sysctl.conf b/sysctl.conf
@@ -108,7 +108,7 @@ net.core.rmem_default = 16777216
 net.core.wmem_default = 16777216
 net.core.optmem_max = 40960
 net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 65536 16777216
+net.ipv4.tcp_wmem = 4096 87380 16777216
 
 
 # --------------------------------------------------------------------

diff --git a/sysctl.conf b/sysctl.conf
@@ -69,7 +69,7 @@ net.core.somaxconn = 50000
 net.ipv4.tcp_max_syn_backlog = 30000
 
 # Increase the length of the network device input queue
-net.core.netdev_max_backlog = 20000
+net.core.netdev_max_backlog = 10000
 
 # Increase system file descriptor limit so we will (probably)
 # never run out under lots of concurrent requests.

diff --git a/sysctl.conf b/sysctl.conf
@@ -69,7 +69,7 @@ net.core.somaxconn = 50000
 net.ipv4.tcp_max_syn_backlog = 30000
 
 # Increase the length of the network device input queue
-net.core.netdev_max_backlog = 5000
+net.core.netdev_max_backlog = 20000
 
 # Increase system file descriptor limit so we will (probably)
 # never run out under lots of concurrent requests.
@@ -108,7 +108,7 @@ net.core.rmem_default = 16777216
 net.core.wmem_default = 16777216
 net.core.optmem_max = 40960
 net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
 
 
 # --------------------------------------------------------------------

diff --git a/sysctl.conf b/sysctl.conf
@@ -108,7 +108,7 @@ net.core.rmem_default = 16777216
 net.core.wmem_default = 16777216
 net.core.optmem_max = 40960
 net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 65536 16777216
+net.ipv4.tcp_wmem = 4096 87380 16777216
 
 
 # --------------------------------------------------------------------

diff --git a/sysctl.conf b/sysctl.conf
@@ -120,7 +120,7 @@ net.ipv4.tcp_keepalive_time = 60
 
 # Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
 # any remaining packets in the network. 
-net.netfilter.nf_conntrack_tcp_timeout_time_wait = 5
+net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
 
 # How long to keep ESTABLISHED connections in conntrack table
 # Should be higher than tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl )

diff --git a/sysctl.conf b/sysctl.conf
@@ -48,7 +48,7 @@ kernel.shmall = 4294967296
 net.ipv4.tcp_syncookies = 1
 
 # See evil packets in your logs.
-net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.all.log_martians = 0
 
 # Discourage Linux from swapping idle server processes to disk (default = 60)
 vm.swappiness = 10
@@ -120,7 +120,12 @@ net.ipv4.tcp_keepalive_time = 60
 
 # Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
 # any remaining packets in the network. 
-#net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 5
+net.netfilter.nf_conntrack_tcp_timeout_time_wait = 5
+
+# How long to keep ESTABLISHED connections in conntrack table
+# Should be higher than tcp_keepalive_time + tcp_keepalive_probes * tcp_keepalive_intvl )
+net.netfilter.nf_conntrack_tcp_timeout_established = 300
+net.netfilter.nf_conntrack_generic_timeout = 300
 
 # Allow a high number of timewait sockets
 net.ipv4.tcp_max_tw_buckets = 2000000

diff --git a/sysctl.conf b/sysctl.conf
@@ -107,8 +107,8 @@ net.core.wmem_max = 16777216
 net.core.rmem_default = 16777216
 net.core.wmem_default = 16777216
 net.core.optmem_max = 40960
-#net.ipv4.tcp_rmem = 4096 87380 16777216
-#net.ipv4.tcp_wmem = 4096 65536 16777216
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
 
 
 # --------------------------------------------------------------------

diff --git a/sysctl.conf b/sysctl.conf
@@ -23,9 +23,9 @@ kernel.core_uses_pid = 1
 net.ipv4.tcp_syncookies = 1
 
 # Disable netfilter on bridges.
-net.bridge.bridge-nf-call-ip6tables = 0
-net.bridge.bridge-nf-call-iptables = 0
-net.bridge.bridge-nf-call-arptables = 0
+#net.bridge.bridge-nf-call-ip6tables = 0
+#net.bridge.bridge-nf-call-iptables = 0
+#net.bridge.bridge-nf-call-arptables = 0
 
 # Controls the default maxmimum size of a mesage queue
 kernel.msgmnb = 65536
@@ -107,8 +107,8 @@ net.core.wmem_max = 16777216
 net.core.rmem_default = 16777216
 net.core.wmem_default = 16777216
 net.core.optmem_max = 40960
-net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 65536 16777216
+#net.ipv4.tcp_rmem = 4096 87380 16777216
+#net.ipv4.tcp_wmem = 4096 65536 16777216
 
 
 # --------------------------------------------------------------------
@@ -120,7 +120,7 @@ net.ipv4.tcp_keepalive_time = 60
 
 # Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
 # any remaining packets in the network. 
-net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 5
+#net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 5
 
 # Allow a high number of timewait sockets
 net.ipv4.tcp_max_tw_buckets = 2000000

diff --git a/sysctl.conf b/sysctl.conf
@@ -0,0 +1,140 @@
+# Kernel sysctl configuration file for Red Hat Linux
+#
+# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
+# sysctl.conf(5) for more details.
+
+# Controls IP packet forwarding
+net.ipv4.ip_forward = 0
+
+# Controls source route verification
+net.ipv4.conf.default.rp_filter = 1
+
+# Do not accept source routing
+net.ipv4.conf.default.accept_source_route = 0
+
+# Controls the System Request debugging functionality of the kernel
+kernel.sysrq = 0
+
+# Controls whether core dumps will append the PID to the core filename.
+# Useful for debugging multi-threaded applications.
+kernel.core_uses_pid = 1
+
+# Controls the use of TCP syncookies
+net.ipv4.tcp_syncookies = 1
+
+# Disable netfilter on bridges.
+net.bridge.bridge-nf-call-ip6tables = 0
+net.bridge.bridge-nf-call-iptables = 0
+net.bridge.bridge-nf-call-arptables = 0
+
+# Controls the default maxmimum size of a mesage queue
+kernel.msgmnb = 65536
+
+# Controls the maximum size of a message, in bytes
+kernel.msgmax = 65536
+
+# Controls the maximum shared segment size, in bytes
+kernel.shmmax = 68719476736
+
+# Controls the maximum number of shared memory segments, in pages
+kernel.shmall = 4294967296
+
+
+# See also http://www.nateware.com/linux-network-tuning-for-2013.html for
+# an explanation about some of these parameters, and instructions for
+# a few other tweaks outside this file.
+
+# Protection from SYN flood attack.
+net.ipv4.tcp_syncookies = 1
+
+# See evil packets in your logs.
+net.ipv4.conf.all.log_martians = 1
+
+# Discourage Linux from swapping idle server processes to disk (default = 60)
+vm.swappiness = 10
+
+# Tweak how the flow of kernel messages is throttled.
+#kernel.printk_ratelimit_burst = 10
+#kernel.printk_ratelimit = 5
+
+# --------------------------------------------------------------------
+# The following allow the server to handle lots of connection requests
+# --------------------------------------------------------------------
+
+# Increase number of incoming connections that can queue up
+# before dropping
+net.core.somaxconn = 50000
+
+# Handle SYN floods and large numbers of valid HTTPS connections
+net.ipv4.tcp_max_syn_backlog = 30000
+
+# Increase the length of the network device input queue
+net.core.netdev_max_backlog = 5000
+
+# Increase system file descriptor limit so we will (probably)
+# never run out under lots of concurrent requests.
+# (Per-process limit is set in /etc/security/limits.conf)
+fs.file-max = 100000
+
+# Widen the port range used for outgoing connections
+net.ipv4.ip_local_port_range = 10000 65000
+
+# If your servers talk UDP, also up these limits
+net.ipv4.udp_rmem_min = 8192
+net.ipv4.udp_wmem_min = 8192
+
+# --------------------------------------------------------------------
+# The following help the server efficiently pipe large amounts of data 
+# --------------------------------------------------------------------
+
+# Disable source routing and redirects
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+
+# Disable packet forwarding.
+net.ipv4.ip_forward = 0
+net.ipv6.conf.all.forwarding = 0
+
+# Disable TCP slow start on idle connections
+net.ipv4.tcp_slow_start_after_idle = 0
+
+# Increase Linux autotuning TCP buffer limits
+# Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE
+# Don't set tcp_mem itself! Let the kernel scale it based on RAM.
+net.core.rmem_max = 16777216
+net.core.wmem_max = 16777216
+net.core.rmem_default = 16777216
+net.core.wmem_default = 16777216
+net.core.optmem_max = 40960
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
+
+
+# --------------------------------------------------------------------
+# The following allow the server to handle lots of connection churn
+# --------------------------------------------------------------------
+
+# Disconnect dead TCP connections after 1 minute
+net.ipv4.tcp_keepalive_time = 60
+
+# Wait a maximum of 5 * 2 = 10 seconds in the TIME_WAIT state after a FIN, to handle
+# any remaining packets in the network. 
+net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 5
+
+# Allow a high number of timewait sockets
+net.ipv4.tcp_max_tw_buckets = 2000000
+
+# Timeout broken connections faster (amount of time to wait for FIN)
+net.ipv4.tcp_fin_timeout = 10
+
+# Let the networking stack reuse TIME_WAIT connections when it thinks it's safe to do so
+# net.ipv4.tcp_tw_reuse = 1
+
+# Determines the wait time between isAlive interval probes (reduce from 75 sec to 15)
+net.ipv4.tcp_keepalive_intvl = 15
+
+# Determines the number of probes before timing out (reduce from 9 sec to 5 sec)
+net.ipv4.tcp_keepalive_probes = 5
+
+# -------------------------------------------------------------