Sysctl.conf (Buster)

From Hexwiki
Jump to navigation Jump to search

This is the commented sysctl.conf I use on my Debian Wheezy servers. Keep in mind that some of the values here are based on the size of the server. Your mileage will vary.

/etc/sysctl.conf

# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

###################################################################
# Magic system request Key
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
# for what other values do
kernel.sysrq=0

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

# So we know where they are when we need them
# You want this if you are doing a lot of crap. Hunting down core
# files can be extremely annoying.
kernel.core_pattern = /tmp/core-%e.%p

# I don't generally need this per se, but some distributions appear
# to be defaulting to this. Setting this explicitely simplifies some
# scripts.
kernel.pid_max = 4194304

# Set our hugepage group, which is the new way to do it.
vm.hugetlb_shm_group = 72
# You will want to add the group for this accordingly, e.g.
# addgroup --gid 72 hugepager
# and then add appropriate users (mysql most likely) to said group.

# Each hugepage is 2 megabytes. This reserves 4 gigs + change.
# MySQL will want enough for the InnoDB data buffer, the MyISAM Key buffer, and
# a couple of other buffers. Other programs will also want their own.
vm.nr_hugepages = 8192

# Servers will in general want low amounts of swapping, but setting
# this to 5 or 10 is sometimes okay.
vm.swappiness = 0

##############################################################3
# Functions previously found in netbase
#

# The socket version of netdev_max_backlog, apparently.
# Default is 128, and the connections go both ways!
# 128 is ridiculously low.
# somaxconn cannot be set above 65535 by default.
net.core.somaxconn = 65535

# Maximum number of packets that can be stored in the buffer, if the
# system is getting more packets than the kernel can process.
# Default is 1000.
net.core.netdev_max_backlog = 65535

# Turn on connection accounting
net.netfilter.nf_conntrack_acct = 1

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks. Not in ipv6
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
# 1 appears to be the new default.
net.ipv4.tcp_syncookies=1

# By default, we're probably not a router, but depending on your host you may
# need to enable ipv4 and/or ipv6 forwarding.
net.ipv4.ip_forward=0

# Being a fairly active server with memory to spare, we can increase the backlog.
net.ipv4.tcp_max_syn_backlog = 65536

# The following is simply to free up connections a bit more aggressively.
# Sets the time to expire a connection after we send a FIN. Default is 60 seconds.
net.ipv4.tcp_fin_timeout = 30

# Allows reuse of sockets in Time Wait state.
net.ipv4.tcp_tw_reuse = 1

# Sets the time before keepalive probes start getting sent.
# Default is 7200 seconds.
net.ipv4.tcp_keepalive_time = 900

# Probes and probe interval. Default is to send up to nine probes, waiting up to
# 75 seconds for an ACK response to each probe. This is somewhat more aggressive.
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 15

# Ignore ICMP broadcasts
# These both defailt to 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=0
net.ipv6.conf.default.forwarding=0

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# _or_

# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# The above are set to zero because my servers are all single-homed.

# Redirects and source routes are for routers closer to
# the middle of the Internet than most websites and their
# immediate upstream routers.
# Do not send ICMP redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Do not accept IP source route packets
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Log Martian Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0