Kernel Security and Performance Tuning with Sysctl

Jacob Mathai

I compiled this brief list of kernel security and network performance tuning options in part because I use it as a reference when hardening OS's or while capacity planning, and also because I have not seen a similiar combined document on the web. Most of these options can be applied on the fly either through /proc/sys/ or by editing /etc/sysctl.cfg and issuing a 'sysctl -p'. You can verify the changes by navigating /proc/sys/ or by issuing a 'sysctl -a'. The most comprehensive documentation that I have come across detailing specifically the IP stack and Linux kernels is the IPsysctl Tutorial. Consult the tutorial for for an overview of what each network parameter intails before making these type of changes to your system. Under /proc/sys/kernel you will see the running state of the kernel,under /proc/sys/net you will see the running state of the kernel network paramaters, /proc/sys/fs has many filesystem parameters, and /proc/sys/vm will expose virtual memory parameters.

Security Feature

Network Kernel Parameter

Ignore Broadcast ICMP ON

(Prevent Ping Scanning)

net.ipv4.icmp_echo_ignore_broadcasts = 1

Protect against SYN Flood Attacks ON

net.ipv4.tcp_syncookies = 1

Log invalid addresses received by the kernel ON

net.ipv4.conf.all.log_martians = 1

Send ICMP redirects OFF (non router machines)

net.ipv4.conf.all.send_redirects = 0

Accept ICMP redirects OFF (non router machines)

net.ipv4.conf.all.accept_redirects = 0

Enforce Route Verification ON

The interface that a message comes in on must be the same interface packet is destined for; Drop packet.

net.ipv4.conf.all.rp_filter = 1

Accept Source Routed packets OFF

(Discard packets with source routes. default routes always; Prevent IP Spoofing)

net.ipv4.conf.all.accept_source_route = 0

TCP Performance Tuning

Network Kernel Parameter

TCP buffer sizes (rmem=receive buffer and wmem=transmit buffer)

net.core.rmem_max = 16777216 net.core.wmem_max = 16777216

Linux autotuning TCP buffer limits min, default,and max number of bytes

net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216

Increase the interface queue length

ifconfig eth0 txqueuelen 2000

Decrease TCP Fin timeout (default=60)

net.ipv4.tcp_fin_timeout = 30

Decrease TCP Keep Alive Time (Default=7200)

net.ipv4.tcp_keepalive_time = 1800

Set SynAck Retries to 3 (Default=5 or 180 seconds)

net.ipv4.tcp_synack_retries = 3

Kernel Tuning


Increase Kernel Shared Memory

kernel.shmmax = 1073741824

Tweaking FileSystem (otal allocated file handles, currently used file handles, and maximum file handles that can be allocated.)

fs.file-nr = 7343 2043 8192

/proc/sys/vm (tweaking how the disk buffers and the Linux VM work with your disks and file systems) decreasing the total number of flushes (which will in turn cause each flush that is done to take a bit longer) may increase overall performance) Use with caution

vm.bdflush = 30 500 0 0 500 3000 60 20 0

Kernel Swap Daemon -You can change the number of pages that swapped out when the Kernel needs memory. Here the # of pages to be searched is set to 1024 and the 64 denotes the number of pages that can be written out to swap during a single round.

vm.kswapd = 1024 32 64

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License