Sysctl.conf (Buster)
Jump to navigation
Jump to search
This is the commented sysctl.conf I use on my Debian Wheezy servers. Keep in mind that some of the values here are based on the size of the server. Your mileage will vary.
/etc/sysctl.conf
# /etc/sysctl.conf - Configuration file for setting system variables # See /etc/sysctl.d/ for additional system variables. # See sysctl.conf (5) for information. # #kernel.domainname = example.com ################################################################### # Magic system request Key # 0=disable, 1=enable all, >1 bitmask of sysrq functions # See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html # for what other values do kernel.sysrq=0 # Uncomment the following to stop low-level messages on console #kernel.printk = 3 4 1 3 # So we know where they are when we need them # You want this if you are doing a lot of crap. Hunting down core # files can be extremely annoying. kernel.core_pattern = /tmp/core-%e.%p # I don't generally need this per se, but some distributions appear # to be defaulting to this. Setting this explicitely simplifies some # scripts. kernel.pid_max = 4194304 # Set our hugepage group, which is the new way to do it. vm.hugetlb_shm_group = 72 # You will want to add the group for this accordingly, e.g. # addgroup --gid 72 hugepager # and then add appropriate users (mysql most likely) to said group. # Each hugepage is 2 megabytes. This reserves 4 gigs + change. # MySQL will want enough for the InnoDB data buffer, the MyISAM Key buffer, and # a couple of other buffers. Other programs will also want their own. vm.nr_hugepages = 8192 # Servers will in general want low amounts of swapping, but setting # this to 5 or 10 is sometimes okay. vm.swappiness = 0 ##############################################################3 # Functions previously found in netbase # # The socket version of netdev_max_backlog, apparently. # Default is 128, and the connections go both ways! # 128 is ridiculously low. # somaxconn cannot be set above 65535 by default. net.core.somaxconn = 65535 # Maximum number of packets that can be stored in the buffer, if the # system is getting more packets than the kernel can process. # Default is 1000. net.core.netdev_max_backlog = 65535 # Turn on connection accounting net.netfilter.nf_conntrack_acct = 1 # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks. Not in ipv6 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 # Uncomment the next line to enable TCP/IP SYN cookies # See http://lwn.net/Articles/277146/ # Note: This may impact IPv6 TCP sessions too # 1 appears to be the new default. net.ipv4.tcp_syncookies=1 # By default, we're probably not a router, but depending on your host you may # need to enable ipv4 and/or ipv6 forwarding. net.ipv4.ip_forward=0 # Being a fairly active server with memory to spare, we can increase the backlog. net.ipv4.tcp_max_syn_backlog = 65536 # The following is simply to free up connections a bit more aggressively. # Sets the time to expire a connection after we send a FIN. Default is 60 seconds. net.ipv4.tcp_fin_timeout = 30 # Allows reuse of sockets in Time Wait state. net.ipv4.tcp_tw_reuse = 1 # Sets the time before keepalive probes start getting sent. # Default is 7200 seconds. net.ipv4.tcp_keepalive_time = 900 # Probes and probe interval. Default is to send up to nine probes, waiting up to # 75 seconds for an ACK response to each probe. This is somewhat more aggressive. net.ipv4.tcp_keepalive_intvl = 60 net.ipv4.tcp_keepalive_probes = 15 # Ignore ICMP broadcasts # These both defailt to 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host net.ipv6.conf.all.forwarding=0 net.ipv6.conf.default.forwarding=0 # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # The above are set to zero because my servers are all single-homed. # Redirects and source routes are for routers closer to # the middle of the Internet than most websites and their # immediate upstream routers. # Do not send ICMP redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Do not accept IP source route packets net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Log Martian Packets net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0