Sysctl.conf (Buster)
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
This is the commented sysctl.conf I use on my Debian Wheezy servers. Keep in mind that some of the values here are based on the size of the server. Your mileage will vary.
/etc/sysctl.conf
# /etc/sysctl.conf - Configuration file for setting system variables # See /etc/sysctl.d/ for additional system variables. # See sysctl.conf (5) for information. # #kernel.domainname = example.com ################################################################### # Magic system request Key # 0=disable, 1=enable all, >1 bitmask of sysrq functions # See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html # for what other values do kernel.sysrq=0 # Uncomment the following to stop low-level messages on console #kernel.printk = 3 4 1 3 # So we know where they are when we need them # You want this if you are doing a lot of crap. Hunting down core # files can be extremely annoying. kernel.core_pattern = /tmp/core-%e.%p # I don't generally need this per se, but some distributions appear # to be defaulting to this. Setting this explicitely simplifies some # scripts. kernel.pid_max = 4194304 # Set our hugepage group, which is the new way to do it. vm.hugetlb_shm_group = 72 # You will want to add the group for this accordingly, e.g. # addgroup --gid 72 hugepager # and then add appropriate users (mysql most likely) to said group. # Each hugepage is 2 megabytes. This reserves 4 gigs + change. # MySQL will want enough for the InnoDB data buffer, the MyISAM Key buffer, and # a couple of other buffers. Other programs will also want their own. vm.nr_hugepages = 8192 # Servers will in general want low amounts of swapping, but setting # this to 5 or 10 is sometimes okay. vm.swappiness = 0 ##############################################################3 # Functions previously found in netbase # # The socket version of netdev_max_backlog, apparently. # Default is 128, and the connections go both ways! # 128 is ridiculously low. # somaxconn cannot be set above 65535 by default. net.core.somaxconn = 65535 # Maximum number of packets that can be stored in the buffer, if the # system is getting more packets than the kernel can process. # Default is 1000. net.core.netdev_max_backlog = 65535 # Turn on connection accounting net.netfilter.nf_conntrack_acct = 1 # Uncomment the next two lines to enable Spoof protection (reverse-path filter) # Turn on Source Address Verification in all interfaces to # prevent some spoofing attacks. Not in ipv6 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 # Uncomment the next line to enable TCP/IP SYN cookies # See http://lwn.net/Articles/277146/ # Note: This may impact IPv6 TCP sessions too # 1 appears to be the new default. net.ipv4.tcp_syncookies=1 # By default, we're probably not a router, but depending on your host you may # need to enable ipv4 and/or ipv6 forwarding. net.ipv4.ip_forward=0 # Being a fairly active server with memory to spare, we can increase the backlog. net.ipv4.tcp_max_syn_backlog = 65536 # The following is simply to free up connections a bit more aggressively. # Sets the time to expire a connection after we send a FIN. Default is 60 seconds. net.ipv4.tcp_fin_timeout = 30 # Allows reuse of sockets in Time Wait state. net.ipv4.tcp_tw_reuse = 1 # Sets the time before keepalive probes start getting sent. # Default is 7200 seconds. net.ipv4.tcp_keepalive_time = 900 # Probes and probe interval. Default is to send up to nine probes, waiting up to # 75 seconds for an ACK response to each probe. This is somewhat more aggressive. net.ipv4.tcp_keepalive_intvl = 60 net.ipv4.tcp_keepalive_probes = 15 # Ignore ICMP broadcasts # These both defailt to 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Uncomment the next line to enable packet forwarding for IPv6 # Enabling this option disables Stateless Address Autoconfiguration # based on Router Advertisements for this host net.ipv6.conf.all.forwarding=0 net.ipv6.conf.default.forwarding=0 # Do not accept ICMP redirects (prevent MITM attacks) net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # _or_ # Accept ICMP redirects only for gateways listed in our default # gateway list (enabled by default) net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # The above are set to zero because my servers are all single-homed. # Redirects and source routes are for routers closer to # the middle of the Internet than most websites and their # immediate upstream routers. # Do not send ICMP redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Do not accept IP source route packets net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Log Martian Packets net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0