Difference between revisions of "Sysctl"
(→Security: fix link)
|Line 33:||Line 33:|
== Security ==
== Security ==
== Networking ==
== Networking ==
Revision as of 10:17, 31 March 2014
/usr/lib/sysctl.d/*. If you had customized
/etc/sysctl.conf, you need to rename it as
The sysctl preload/configuration file can be created at
/etc/sysctl.d/99-sysctl.conf. For systemd,
/usr/lib/sysctl.d/ are drop-in directories for kernel sysctl parameters. The naming and source directory decide the order of processing, which is important since the last parameter processed may override earlier ones. For example, parameters in a
/usr/lib/sysctl.d/50-default.conf will be overriden by equal parameters in
/etc/sysctl.d/50-default.conf and any configuration file processed later from both directories.
To load all configuration files manually, execute
# sysctl --system
which will also output the applied hierarchy. A single parameter file can also be loaded explicitly with
# sysctl -p filename.conf
The parameters available are those listed under
/proc/sys/. For example, the
kernel.sysrq parameter refers to the file
/proc/sys/kernel/sysrq on the file system. The
sysctl -a command can be used to display all currently available values.
/usr/lib/modules/$(uname -r)/build/Documentation/sysctl/. It is highly recommended reading these before changing sysctl settings.
Settings can be changed through file manipulation or using the
sysctl utility. For example, to temporarily enable the magic SysRq key:
# sysctl kernel.sysrq=1
# echo "1" > /proc/sys/kernel/sysrq
To preserve changes between reboots, add or modify the appropriate lines in
/etc/sysctl.d/99-sysctl.conf or another applicable parameter file in
/proc/sys/net/bridge/*depend on the
bridgemodule. If it is not loaded at runtime (or after a reboot), those will silently not be applied. See Kernel_modules#Loading
# reuse/recycle time-wait sockets net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 1
TCP/IP stack hardening
#### ipv4 networking #### ## TCP SYN cookie protection (default) ## helps protect against SYN flood attacks ## only kicks in when net.ipv4.tcp_max_syn_backlog is reached net.ipv4.tcp_syncookies = 1 ## protect against tcp time-wait assassination hazards ## drop RST packets for sockets in the time-wait state ## (not widely supported outside of linux, but conforms to RFC) net.ipv4.tcp_rfc1337 = 1 ## tcp timestamps ## + protect against wrapping sequence numbers (at gigabit speeds) ## + round trip time calculation implemented in TCP ## - causes extra overhead and allows uptime detection by scanners like nmap ## enable @ gigabit speeds net.ipv4.tcp_timestamps = 0 #net.ipv4.tcp_timestamps = 1 ## source address verification (sanity checking) ## helps protect against spoofing attacks net.ipv4.conf.all.rp_filter = 1 ## disable ALL packet forwarding (not a router, disable it) (default) net.ipv4.ip_forward = 0 ## log martian packets net.ipv4.conf.all.log_martians = 1 ## ignore echo broadcast requests to prevent being part of smurf attacks (default) net.ipv4.icmp_echo_ignore_broadcasts = 1 ## optionally, ignore all echo requests ## this is NOT recommended, as it ignores echo requests on localhost as well #net.ipv4.icmp_echo_ignore_all = 1 ## ignore bogus icmp errors (default) net.ipv4.icmp_ignore_bogus_error_responses = 1 ## IP source routing (insecure, disable it) (default) net.ipv4.conf.all.accept_source_route = 0 ## send redirects (not a router, disable it) net.ipv4.conf.all.send_redirects = 0 ## ICMP routing redirects (only secure) net.ipv4.conf.all.accept_redirects = 0 #net.ipv4.conf.all.secure_redirects = 1 (default)
There are several key parameters to tune the operation of the virtual memory (VM) subsystem of the Linux kernel and the writeout of dirty data to disk. See the Linux kernel documentation for more information.
# Contains, as a percentage of total system memory, the number of pages at which # a process which is generating disk writes will start writing out dirty data. vm.dirty_ratio = 3 # Contains, as a percentage of total system memory, the number of pages at which # the background kernel flusher threads will start writing out dirty data. vm.dirty_background_ratio = 2
As noted in the comments, one needs to consider the total amount of RAM when setting these values.
vm.dirty_ratiodefaults to 10 (percent of RAM). Consensus is that 10% of RAM when RAM is say half a GB (so 10% is ~50 MB) is a sane value on spinning disks, but it can be MUCH worse when RAM is larger, say 16 GB (10% is ~1.6 GB), as that's several seconds of writeback on spinning disks. A more sane value in this cause is 3 (16*0.03 ~ 491 MB).
vm.dirty_background_ratiosimilarly, 5 (% of RAM) by default may be just fine for small memory values, but again, consider and adjust accordingly for the amount of RAM on a particular system.
Small periodic system freezes
Set dirty bytes to small enough value (for example 4M):
vm.dirty_background_bytes = 4194304 vm.dirty_bytes = 4194304
Try to change
kernel.io_delay_type (x86 only):
- 0 - IO_DELAY_TYPE_0X80
- 1 - IO_DELAY_TYPE_0XED
- 2 - IO_DELAY_TYPE_UDELAY
- 3 - IO_DELAY_TYPE_NONE