/aegir/conf/sysctl.conf
Config | 100 lines | 77 code | 23 blank | 0 comment | 0 complexity | 5424d342265938bd98875871403f5c17 MD5 | raw file
- # Avoid a smurf attack
- net.ipv4.icmp_echo_ignore_broadcasts = 1
- # Turn on protection for bad icmp error messages
- net.ipv4.icmp_ignore_bogus_error_responses = 1
- # Turn on syncookies for SYN flood attack protection
- # See also: http://cr.yp.to/syncookies.html
- net.ipv4.tcp_syncookies = 1
- # Don't log spoofed packets, source routed packets, redirect packets
- net.ipv4.conf.all.log_martians = 0
- net.ipv4.conf.default.log_martians = 0
- # Decrease the time default value for tcp_fin_timeout connection
- net.ipv4.tcp_fin_timeout = 15
- # Decrease the time default value for connections to keep alive
- net.ipv4.tcp_keepalive_time = 300
- net.ipv4.tcp_keepalive_probes = 5
- net.ipv4.tcp_keepalive_intvl = 15
- # Optimize this for SPDY performance
- net.ipv4.tcp_slow_start_after_idle = 0
- # No source routed packets here
- net.ipv4.conf.all.accept_source_route = 0
- net.ipv4.conf.default.accept_source_route = 0
- # Turn on reverse path filtering
- net.ipv4.conf.all.rp_filter = 1
- net.ipv4.conf.default.rp_filter = 1
- # Make sure no one can alter the routing tables
- net.ipv4.conf.all.accept_redirects = 0
- net.ipv4.conf.default.accept_redirects = 0
- net.ipv4.conf.all.secure_redirects = 0
- net.ipv4.conf.default.secure_redirects = 0
- net.ipv6.conf.all.accept_redirects = 0
- net.ipv6.conf.default.accept_redirects = 0
- # Don't act as a router
- net.ipv4.ip_forward = 0
- net.ipv4.conf.all.send_redirects = 0
- net.ipv4.conf.default.send_redirects = 0
- # Enable address space layout randomization (ASLR)
- kernel.randomize_va_space = 2
- # Tune IPv6
- net.ipv6.conf.default.router_solicitations = 0
- net.ipv6.conf.default.accept_ra_rtr_pref = 0
- net.ipv6.conf.default.accept_ra_pinfo = 0
- net.ipv6.conf.default.accept_ra_defrtr = 0
- net.ipv6.conf.default.autoconf = 0
- net.ipv6.conf.default.dad_transmits = 0
- net.ipv6.conf.default.max_addresses = 1
- # Optimization for port use for LBs
- # Increase system file descriptor limit
- fs.file-max = 2097152
- # Increase inotify defaults to improve lsyncd support
- fs.inotify.max_user_watches = 65536
- # Increase system IP port limits
- net.ipv4.ip_local_port_range = 2000 65000
- # Increase limits to avoid nf_conntrack: table full on high traffic events
- net.netfilter.nf_conntrack_max = 512000
- # Increase TCP max buffer size setable using setsockopt()
- net.ipv4.tcp_rmem = 4096 87380 8388608
- net.ipv4.tcp_wmem = 4096 87380 8388608
- # Improve Redis performance
- net.core.somaxconn = 512
- # Increase Linux auto tuning TCP buffer limits
- # min, default, and max number of bytes to use
- # set max to at least 4MB, or higher if you use very high BDP paths
- # Tcp Windows etc
- net.core.rmem_max = 8388608
- net.core.wmem_max = 8388608
- net.core.netdev_max_backlog = 65536
- net.ipv4.tcp_window_scaling = 1
- # Protect from CVE-2016-5696
- net.ipv4.tcp_challenge_ack_limit = 1073741823
- # Use swap only if there is high memory usage
- vm.swappiness = 1
- vm.vfs_cache_pressure=50
- # Specify the minimum virtual address that a process is allowed to mmap
- vm.mmap_min_addr = 4096
- # No overcommitment of available memory
- vm.overcommit_ratio = 0
- vm.overcommit_memory = 0