Linux Kernel Parameter sysctl. conf optimization scheme

The most complete sysctl. conf optimization solution in China
There are various versions of the sysctl. conf optimization solution on the Internet, most of which are copied and copied, making new users confused. In order to solve this problem, I have reviewed N materials over the past two days and summarized them as follows. Many default documents that do not need to be modified are not currently involved, in the future, we will gradually provide translation, explanation, and modification suggestions for all projects. If there is any modification, this document shall prevail. I will not update the content in other places. Therefore, please indicate the link address for reprinting:
Http://www.bsdlover.cn/security/2007/1216/article_8.html
If you have any comments on supplement or amendment, please comment on this article or contact us by email
Cujxtm@gmail.com
Thank you!
###################
All RFC-related options are enabled by default, so those on the Internet who write their own RFC support can be discarded :)
###############################
Net. inet. IP. sourceroute = 0
Net. inet. IP. accept_sourceroute = 0
#############################
Through source routing, attackers can try to reach the internal IP address, including the address in rfc1918, so
The source route information package is not accepted to prevent your internal network from being detected.
#################################
Net. inet. tcp. drop_synfin = 1
###################################
Security parameter. Options tcp_drop_synfin is added during kernel compilation to prevent some OS Detection.
##################################
Kernel. maxvnodes = 8446
################ Http://www.bsdlover.cn #########
Vnode is an internal expression of a file or directory. Therefore, increasing the number of vnodes that can be used by the operating system will reduce the disk I/O.
Generally, this is done by the operating system and does not need to be modified. However, in some cases, disk I/O may become a bottleneck,
If the system has insufficient vnodes, this configuration should be added. In this case, we need to consider the number of inactive and idle memory.
To view the number of currently used vnodes:
# Sysctl VFS. numvnodes
VFS. numvnodes: 91349
To view the maximum number of available vnodes:
# Sysctl Kern. maxvnodes
Kern. maxvnodes: 100000
If the current vnode usage is close to the maximum value, it may be a good idea to increase the Kern. maxvnodes value by 1,000.
You should continue to view the value of VFS. numvnodes,
You still need to continue to improve Kern. maxvnodes. The memory usage displayed in top (1) should change significantly,
More memory will be active.
####################################
Kern. maxproc: 964
################ Http://www.bsdlover.cn #########
Maximum number of processes
####################################
Kern. maxprocperuid: 867
################ Http://www.bsdlover.cn #########
Maximum processes allowed per userid
####################################
Because my maxusers settings are 4116, 20 + 16 * maxusers =.
Maxprocperuid must be at least 1 less than maxproc, because the system program Init (8) must be in operation.
The 2068 I set for it.
Kern. maxfiles: 1928
################ Http://www.bsdlover.cn #########
The system supports the maximum number of files that can be enabled at the same time. If you are running a database or a large process that eats descriptor, you should set it to more than 20000,
For a desktop environment such as Kde, it uses a lot of files at the same time.
It is generally recommended to set 32768 or 65536.
####################################
Kern. argmax: 262144
################ Http://www.bsdlover.cn #########
Maximum number of bytes (or characters) in an argument list.
The most supported parameters in the command line. For example, when you use the find command to batch delete some files
Find.-Name "*. Old"-Delete. If the number of files exceeds this number, you will be prompted to have too many numbers.
You can use find.-Name "*. Old"-OK RM {}/; to delete it.
The default parameters are enough, so we do not recommend that you modify them.
####################################
Kern. securelevel:-1
################ Http://www.bsdlover.cn #########
-1: This is the default system level and does not provide any kernel protection errors;
0: basically, it does not work much. When your system is just started up, it will become Level 1 automatically when it enters multi-user mode.
1: At this level, there are several restrictions:
A. You cannot use kldload or kldunload to load or Uninstall a kernel module;
B. applications cannot write memory directly through/dev/MEM or/dev/kmem;
C. You cannot directly write to a mounted disk, that is, you cannot format the disk, but you can perform write operations through the standard kernel interface;
D. You cannot start X-Windows or use chflags to modify file attributes;
2: On the basis of level 1, you cannot write unmounted disks, and you cannot create multiple warnings within one second. This prevents the DOS console;
3: You cannot modify the rules of the ipfw firewall at Level 2.
If you have installed a firewall and configured the rules, it is recommended that you use three levels. If you have not installed a firewall and are still preparing to install a firewall, it is not recommended.
We recommend using level 2 to avoid many kernel attacks.
####################################
Kern. maxfilesperproc: 1735
################ Http://www.bsdlover.cn #########
The maximum number of files that can be opened by each process at the same time. Many materials on the Internet write 32768.
Unless asynchronous I/O or a large number of threads are used, opening so many files may be abnormal.
I personally recommend that you do not modify it. Keep the default value.
####################################
Kern. IPC. maxsockbuf: 262144
################ Http://www.bsdlover.cn #########
The maximum Socket buffer. We recommend that you set it to 2097152 (2 m) and 8388608 (8 m) on the Internet.
I personally recommend that you do not modify it. Keep the default K value. A large buffer may cause fragmentation, blocking, or packet loss.
####################################
Kern. IPC. somaxconn: 128
################ Http://www.bsdlover.cn #########
The maximum size of the socket queue waiting for connection completion, that is, the number of concurrent connections.
High-load servers and DOS-attacked systems may be congested and cannot provide normal services.
The default value is 128. We recommend that you change the value between and based on the actual situation. The larger the number, the larger the memory usage.
####################################
Kern. IPC. nmbclusters: 4800
################ Http://www.bsdlover.cn #########
This value is used to adjust the number of clusters allocated to the network mbufs after the system is started,
Because the size of each cluster is 2 K, 2 MB of core memory space is used when the value is 1024.
Suppose there are about 1000 web pages online at the same time, and the size of the temporary storage zone for TCP transmission and receipt is 16 kb,
In the worst case, we need (16 K + 16 k) * 1024, that is, 32 MB space,
However, the required mbufs is about twice the space, that is, 64 MB, so the number of clusters required is 64 MB/2 K, that is, 32768.
For machines with limited memory, the recommended value is between 1024 and 4096, and when there is a massive storage space, we can set it to 4096 to 32768.
We can use the netstat command and add the parameter-m to view the number of mbufs currently in use.
To modify this value, it must be modified on the server. Therefore, you can only add the modification settings to/boot/loader. conf.
Kern. IPC. nmbclusters = 32768
####################################
Kern. IPC. shmmax: 33554432
################ Http://www.bsdlover.cn #########
Shared Memory and signal lights ("system vipc") if these are too small, some large software will not be able to start
When xine and mplayer are installed, the prompt is set to 67108864, that is, 64 m,
If the memory is large, it can be set to 134217728, that is, 128 M.
####################################
Kern. IPC. Shmall: 8192
################ Http://www.bsdlover.cn #########
Shared Memory and signal lights ("system vipc") if these are too small, some large software will not be able to start
The prompt for installing xine and mplayer is set to 32768.
####################################
Kern. IPC. shm_use_phys: 0
################ Http://www.bsdlover.cn #########
If we set it to 1, all system V shared memory (share memory, a way of Inter-program communication) will be left in the physical memory (physical memory,
Instead of the swap space on the hard disk. We know that the physical memory is much faster to access than the hard disk, and when the physical memory space is insufficient,
Some data will be stored in the virtual memory. The transfer from the physical memory to the virtual memory is called swap. If swap operations are often performed,
You need to always perform I/O on the hard disk, and the speed will be very slow. Therefore, if we have a large number of programs (hundreds) that need to share a small shared memory space,
Or when the shared memory space is large, we can open this value.
I personally recommend that you do not modify this item unless your memory is very large.
####################################
Kern. IPC. shm_allow_removed: 0
################ Http://www.bsdlover.cn #########
Can shared memory be removed? This seems to have to be set to 1 for VMware to be installed on FB. Otherwise, an error message is prompted when loading svga.
As a server, this does not move.
####################################
Kern. IPC. numopensockets: 12
################ Http://www.bsdlover.cn #########
The number of opened sockets. You can check the number of opened sockets during the busiest period, and then you can know how many sockets maxsockets should be set.
####################################
Kern. IPC. maxsockets: 1928
################ Http://www.bsdlover.cn #########
This is used to set the maximum number of sockets that can be enabled by the system. If your server provides a large number of FTP services,
In addition, small files are frequently transmitted quickly, and you may find that the data is interrupted when it is often transmitted to half. Because ftp transfers files,
Each file must enable a socket for transmission, but it takes some time to close the socket. If the transmission speed is fast,
If there are too many files, the socket opened at the same time will exceed the value permitted by the original system. In this case, we must increase the value.
In addition to FTP, other network programs may also have this problem.
However, this value must be set when the system is started, so if you want to modify this setting, you must modify/boot/loader. conf.
Kern. IPC. maxsockets = "16424"
####################################
Kern. ip. nsfbufs: 1456
################ Http://www.bsdlover.cn #########
Sendfile (2) is often used on busy servers called by the system,
It is necessary to set the value of nsfbufs kernel option or in/boot/loader. conf (view loader (8) for more details) to adjust the number of sendfile (2) caches.
The common reason for this parameter to be adjusted is that the sfbufa status is displayed in the process. The sysctl Kern. IPC. nsfbufs variable is read-only in the Kernel configuration variable.
This parameter is determined by Kern. maxusers, but it may need to be adjusted accordingly.
Add in/boot/loader. conf
Kern. IPC. nsfbufs = "2496"
####################################
Kern. maxusers: 59
################ Http://www.bsdlover.cn #########
The value of maxusers determines the maximum value allowed by the processing program. 20 + 16 * maxusers is the allowed processing program you will obtain.
When the system starts, there must be 18 processes. Even a simple execution command man will generate nine processes,
Therefore, setting this value to 64 is a reasonable number.
If your system displays the proc table full message, you can set it to a larger value, such as 128.
Unless your system needs to enable many files at the same time, do not set it to more than 256.
You can add the setting of this option in/boot/loader. conf,
Kern. maxusers = 256
####################################
Kern. coredump: 1
################ Http://www.bsdlover.cn #########
If it is set to 0, the core file will not be generated when the program unexpectedly exits, as the server. We do not recommend this.
####################################
Kern. corefile: % N. Core
################ Http://www.bsdlover.cn #########
It can be set to Kern. corefile = "/data/coredump/% u-% P-% N. Core"
Here, % u is uid, % P is process ID, and % N is process name. Of course,/data/coredump must be an actual directory.
####################################
VM. swap_idle_enabled: 0
VM. swap_idle_threshold1: 2
VM. swap_idle_threshold2: 10
#########################
It is useful in a large multi-user system with many users entering and leaving the system and many idle processes.
It allows the process to enter the memory faster, but it will consume more swap and disk bandwidth.
The default page Scheduling Algorithm of the system is quite good, so it is best not to change it.
########################
VFS. UFS. dirhash_maxmem: 2097152
#########################
Default dirhash maximum memory, default 2 m
It helps improve the performance of reading directories repeatedly when a single directory contains more than files
It is recommended to change to 33554432 (32 m)
#############################
VFS. vmiodirenable: 1
#################
This variable controls whether the directory is cached by the system. Most directories are small. In the system, only a single segment (typically 1 K) is used and the cache size is smaller (typically 512 bytes ).
When this variable is set to off (0), the cache only caches a fixed number of directories, even if you have a large amount of memory.
When it is enabled (set to 1), the cache can use VM page cache to cache these directories, so that all available memory can cache directories.
The disadvantage is that the minimum core memory used to cache directories is the physical page size larger than 512 bytes (usually 4 K ).
We recommend that you keep the default value when this option is enabled when running programs that operate on a large number of files.
These services include Web Cache, large-capacity mail system, and news system.
Although some memory may be wasted, enabling this option usually does not reduce performance. But we should check it.
####################
VFS. hirunningspace: 1048576
############################
This value determines how much data can be stored in the waiting zone of the storage device. You can use the default value,
But when we have multiple hard disks, we can increase them to 4 MB or 5 MB.
Note that setting this value to a high value (beyond the write limit of the cache) will lead to bad performance.
Do not set it too high blindly! A high value may lead to a delay in reading operations at the same time.
#############################
VFS. write_behind: 1
#########################
This option is set to 1 by default, that is, the enabled status. When the system needs to write data to the hard disk or other storage devices,
It will wait until the data of a cluster unit is collected and then write again, otherwise it will be written to the hard disk immediately when there is a need to write data in a temporary storage space.
This option is very helpful for writing a large continuous file. However, you may have to disable this feature if you encounter many write operations that are delayed.
############################
Net. Local. Stream. sendspace: 8192
##################################
Data sending space connected by local socket
Recommended to 65536
###################################
Net. Local. Stream. recvspace: 8192
##################################
Data receiving space connected by local socket
Recommended to 65536
###################################
Net. inet. IP. portrange. lowfirst: 1023
Net. inet. IP. portrange. lowlast: 600
Net. inet. IP. portrange. First: 49152
Net. inet. IP. portrange. Last: 65535
Net. inet. IP. portrange. hifirst: 49152
Net. inet. IP. portrange. hilast: 65535
###################
The preceding six items are used to control the port range used by TCP and UDP. The range is divided into three parts: low range, preset range, and high range.
These are the range of temporary ports when your server initiates a connection. The preset port number is more than 10 thousand, which is sufficient for general applications.
If the FTP server is busy, it is generally not provided to more than 10 thousand users at the same time,
Of course, if your server needs to provide a lot, you can modify the value of first, for example, directly starting with 1024.
#########################
Net. inet. IP. Redirect: 1
#########################
Set to 0 to block IP redirection.
###########################
Net. inet. IP. rtexpire: 3600
Net. inet. IP. rtminexpire: 10
########################
Many Apache close_wait statuses are waiting for the client to close, but the client does not close normally, so there are many such statuses.
We recommend that you change it to 2.
#########################
Net. inet. IP. intr_queue_maxlen: 50
########################
Maximum size of the IP input queue. If the following net. inet. IP. intr_queue_drops is increasing,
This indicates that your queue space is insufficient, so you can consider adding this value.
##########################
Net. inet. IP. intr_queue_drops: 0
####################
Number of packets dropped from the IP input queue. If you keep increasing sysctl,
Add the net. inet. IP. intr_queue_maxlen value.
#######################
Net. inet. IP. fastforwarding: 0
#############################
If it is enabled, the data of each target address will be recorded in the route table and ARP data table once it is successfully forwarded, saving the route computing time.
However, a large amount of kernel memory space is required to save the route table.
If the memory is large enough, open it.
#############################
Net. inet. IP. random_id: 0
#####################
By default, the ID number of the IP package is consecutive, which may be exploited by attackers. For example, you can know how many hosts are attached to the NAT package.
If it is set to 1, the ID number is random.
#####################
Net. inet. ICMP. maskrepl: 0
############################
Prevents broadcast storms and disables responses from other broadcast probes. The default value is, which does not need to be modified.
###############################
Net. inet. ICMP. icmplim: 200
##############################
To limit the system's ICMP sending rate, change it to 100, or retain it. This does not put too much pressure on the system.
###########################
Net. inet. ICMP. icmplim_output: 1
###################################
If it is set to 0, the system will not see the prompt saying limiting ICMP unreach response from 214 to 200 packets per second, etc.
However, disabling output makes it easy for us to ignore the existence of attacks. Let's do this on your own.
######################################
Net. inet. ICMP. drop_redirect: 0
Net. inet. ICMP. log_redirect: 0
###################################
Set to 1 to Block ICMP redirection.
###################################
Net. inet. ICMP. bmcastecho: 0
############################
To prevent broadcast storms, disable the broadcast echo response. The default value is that it does not need to be modified.
###############################
Net. inet. tcp. mssdflt: 512
Net. inet. tcp. minmss: 216
###############################
The minimum value of the data packet segment. The above two options are not recommended! Or modify the mssdflt to 1460, And the minmss will not change.
For the reason, see
Http://www.bsdlover.cn/security/2007/1211/article_4.html
#############################
Net. inet. tcp. keepidle: 7200000
######################
The idle time of the TCP socket. The default time is too long. It can be changed to 600000 (10 minutes ).
##########################
Net. inet. tcp. sendspace: 32768
################ Http://www.bsdlover.cn #########
The maximum buffer space for TCP data to be sent. If the application puts the data here, it is deemed that the data is successfully sent. The system TCP stack ensures that the data is sent normally.
####################################
Net. inet. tcp. recvspace: 65536
###################################
The maximum accept TCP buffer space, from which the system distributes data to different sockets. Increasing the space can improve the system's ability to instantly accept data to improve performance.
###################################
These two options respectively control the transfer and receiving temporary storage space used by the Network TCP connection. The default transfer temporary storage area is 32 K, and the receiving temporary storage area is 64 K.
If you want to accelerate TCP transmission, you can increase these two values, but the disadvantage is that a large value will cause the system core to occupy too much memory.
If our machines serve hundreds or thousands of networks online at the same time, we recommend that you maintain the default values for these two options. Otherwise, the system's core memory is insufficient.
However, if we use a gigabite network, increasing these two values will significantly improve the efficiency.
The size of the transfer and receipt storage areas can be adjusted separately,
For example, if our system is mainly used as a Web server, we can reduce the receiving temporary storage area and transfer the temporary storage area, we can avoid occupying too much core memory space.
Net. inet. UDP. maxdgram: 9216
#########################
The maximum size of the buffer for sending UDP data. Most of the information on the Internet is 65536. I personally think it is not necessary,
If you want to adjust it, try 24576.
##############################
Net. inet. UDP. recvspace: 42080
##################
The maximum accept UDP buffer size. Most of the information on the Internet is 65536. I personally think it is not necessary,
If you want to adjust it, try 49152.
#######################
The above four configurations usually do not cause problems. Generally, the network traffic is asymmetrical. Therefore, you should adjust the configurations according to the actual situation and observe the effect.
If we set the transfer or receipt staging area to greater than 65535, unless the server itself and the operating system used by the client both support the Windows scaling extension of the TCP protocol (refer to the RFC 1323 file ).
FreeBSD supports rfs1323 by default (that is, the net. inet. tcp. rfc1323 option of sysctl ).
######################################## ###########
Net. inet. tcp. log_in_vain: 0
##################
Record any TCP connections, which should not be changed in general.
####################
Net. inet. tcp. blackhole: 0
##################################
We recommend that you set it to 2 to receive all packets sent from a closed port and drop them directly. If it is set to 1, it is only for TCP packets.
#####################################
Net. inet. tcp. delayed_ack: 1
###########################
When a computer initiates a TCP connection request, the system responds to the ACK response packet.
This option sets whether to delay the ACK response packet and sends it together with the data packet.
High-speed networks and low load will slightly improve performance, but when the network connection is poor,
If the recipient's computer does not receive a response, it will initiate a connection request continuously, which will make the network more congested and reduce performance.
Therefore, we recommend that you set this value based on the situation. If your network speed is not a problem, you can reduce the number of packets by half.
If the network is not particularly good, set it to 0 and respond to requests first. In this way, the bandwidth Rate of China Netcom and China Telecom is wasted instead of your processing time :)
############################
Net. inet. tcp. inflight. Enable: 1
Net. inet. tcp. inflight. Debug: 0
Net. inet. tcp. inflight. rttthresh: 10
Net. inet. tcp. inflight. Min: 6144
Net. inet. tcp. inflight. MAX: 1073725440
Net. inet. tcp. inflight. Stab: 20
###########################
The limit on TCP bandwidth latency is similar to the limit on TCP/Vegas of NetBSD.
It can be enabled by setting the sysctl variable net. inet. tcp. inflight. Enable to 1.
The system will try to calculate the bandwidth delay product of each connection, and limit the amount of data in the queue to the level that can keep the optimal throughput.
This feature allows your server to connect to the network at a higher speed (or other bandwidth delay accumulation) using a common Modem, Gigabit Ethernet, and even higher speed) especially important,
Especially when you zoom in or out a sliding window or use a large sending window.
If this option is enabled, you should also set net. inet. tcp. inflight. Debug to 0 (disable debugging ),
For the production environment, setting net. inet. tcp. inflight. min to at least 6144 is very beneficial.
However, it should be noted that this value is too large, in fact, it is equivalent to disabling the connection bandwidth Delay Product limit function.
This restriction reduces the number of congested data in the routing and switching packet queues and the number of blocked data in the local host interface queue.
In a few waiting queues, interactive connections, especially through a slow modem, can also be operated at a low round-trip time.
However, note that this only affects data transmission (upload/Server ). It has no effect on receiving (downloading) data.
It is not recommended to adjust net. inet. tcp. inflight. Stab.
The default value of this parameter is 20, indicating that the two largest packages are added to the calculation of the bandwidth Delay Product window.
The extra window-like algorithms are more stable, and the corresponding capabilities for changing network environments are improved,
However, the ping time for slow connections also increases (although it is much lower than the inflight algorithm is not used ).
In these cases, you may want to reduce this parameter to 15, 10, or 5;
Therefore, we may have to reduce net. inet. tcp. inflight. Min (for example, 3500) to achieve the desired effect.
Reduce the value of these parameters and use them only as a last resort.
############################
Net. inet. tcp. syncookies: 1
#########################
Syn cookies are a technique used to reduce the impact of SYN flood attacks by selecting encrypted initialization TCP serial numbers and verifying the response packets.
The default value is, which does not need to be modified.
########################
Net. inet. tcp. MSL: 30000
#######################
This value is 7500 recommended in many articles on the Internet,
You can also change it to a smaller value (such as 2000 or 2500) to accelerate the release process of abnormal connections (two seconds for three handshakes and four seconds for fin_wait4 seconds ).
#########################
Net. inet. tcp. always_keepalive: 1
###########################
This helps the system clear TCP connections that are not normally disconnected, which increases the bandwidth usage, but some dead connections can be identified and cleared.
The dead TCP connection is a special problem of the system accessed by the dial-up user, because the user often disconnects the modem and does not properly close the active connection.
#############################
Net. inet. UDP. checksum: 1
#########################
Prevents incorrect UDP packet attacks. The default value is, which does not need to be modified.
##############################
Net. inet. UDP. log_in_vain: 0
#######################
Record any UDP connections, which should not be modified in general.
#######################
Net. inet. UDP. blackhole: 0
####################
We recommend that you set it to 1 and directly drop all UDP packets sent from a closed port.
#######################
Net. inet. Raw. maxdgram: 8192
#########################
Maximum outgoing raw IP datasync size
We recommend that you set this parameter to 65536 in many articles.
######################################
Net. inet. Raw. recvspace: 8192
######################
Maximum incoming raw IP datemedisize
We recommend that you set this parameter to 65536 in many articles.
#######################
Net. Link. Ether. inet. max_age: 1200
####################
Adjust the ARP cleaning time. By buffering IP addresses with forged ARP entries, malicious users can experience resource depletion and performance reduction attacks.
This does not seem to have been changed, and I suggest not moving or slightly decreasing, such as 300 (HP-UX default 5 minutes)
#######################
Net. inet6.ip6. Redirect: 1
###############################
Set to 0 to block IPv6 redirection.
###########################
Net. ISR. Direct: 0
################ Http://www.bsdlover.cn #########
All mpsafe network ISR responds immediately to the package to improve Nic performance. Set this parameter to 1.
####################################
HW. ata. WC: 1
#####################
This option is used to enable the IDE hard disk cache. If data is written to the hard disk when it is enabled, the hard disk pretends to have completed the writing and caches the data.
This method will accelerate the access speed of the hard disk, but it is easy to cause data loss when the system shuts down abnormally.
However, because the speed difference caused by disabling this function is too large, we recommend that you keep the status that was originally opened without modifying it.
###################
Security. BSD. see_other_uids: 1
Security. BSD. see_other_gids: 1
#####################
The user is not allowed to see other users' processes. Therefore, it should be changed to 0,
#######################

This article is from the chinaunix blog. If you want to view the original text, click:Http://blog.chinaunix.net/u/22176/showart_446937.html