I compiled this brief list of kernel security and network performance tuning options in part because I use it as a reference when hardening OS's or while capacity planning, and also because I have not seen a similiar combined document on the web. Most of these options can be applied on the fly either through /proc/sys/ or by editing /etc/sysctl.cfg and issuing a 'sysctl -p'. You can verify the changes by navigating /proc/sys/ or by issuing a 'sysctl -a'. The most comprehensive documentation that I have come across detailing specifically the IP stack and Linux kernels is the IPsysctl Tutorial. Consult the tutorial for for an overview of what each network parameter intails before making these type of changes to your system. Under /proc/sys/kernel you will see the running state of the kernel,under /proc/sys/net you will see the running state of the kernel network paramaters, /proc/sys/fs has many filesystem parameters, and /proc/sys/vm will expose virtual memory parameters.
Security Feature |
Network Kernel Parameter |
|
Ignore Broadcast ICMP ON (Prevent Ping Scanning) |
net.ipv4.icmp_echo_ignore_broadcasts = 1 |
|
Protect against SYN Flood Attacks ON |
net.ipv4.tcp_syncookies = 1 |
|
Log invalid addresses received by the kernel ON |
net.ipv4.conf.all.log_martians = 1 |
|
Send ICMP redirects OFF (non router machines) |
net.ipv4.conf.all.send_redirects = 0 |
|
Accept ICMP redirects OFF (non router machines) |
net.ipv4.conf.all.accept_redirects = 0 |
|
Enforce Route Verification ON The interface that a message comes in on must be the same interface packet is destined for; Drop packet. |
net.ipv4.conf.all.rp_filter = 1 |
|
Accept Source Routed packets OFF (Discard packets with source routes. default routes always; Prevent IP Spoofing) |
net.ipv4.conf.all.accept_source_route = 0 |
|
|
|
TCP Performance Tuning |
Network Kernel Parameter |
|
TCP buffer sizes (rmem=receive buffer and wmem=transmit buffer) |
net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 |
|
Linux autotuning TCP buffer limits min, default,and max number of bytes |
net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 |
|
Increase the interface queue length |
ifconfig eth0 txqueuelen 2000 |
|
Decrease TCP Fin timeout (default=60) |
net.ipv4.tcp_fin_timeout = 30 |
|
Decrease TCP Keep Alive Time (Default=7200) |
net.ipv4.tcp_keepalive_time = 1800 |
|
Set SynAck Retries to 3 (Default=5 or 180 seconds) |
net.ipv4.tcp_synack_retries = 3 |
|
|
|
Kernel Tuning |
Parameter |
|
Increase Kernel Shared Memory |
kernel.shmmax = 1073741824 |
|
|
|
|
Tweaking FileSystem (otal allocated file handles, currently used file handles, and maximum file handles that can be allocated.) |
fs.file-nr = 7343 2043 8192 |
|
|
|
|
/proc/sys/vm (tweaking how the disk buffers and the Linux VM work with your disks and file systems) decreasing the total number of flushes (which will in turn cause each flush that is done to take a bit longer) may increase overall performance) Use with caution |
vm.bdflush = 30 500 0 0 500 3000 60 20 0 |
|
|
|
|
Kernel Swap Daemon -You can change the number of pages that swapped out when the Kernel needs memory. Here the # of pages to be searched is set to 1024 and the 64 denotes the number of pages that can be written out to swap during a single round. |
vm.kswapd = 1024 32 64 |
|
|