What is sysctl?<\/p>\n
sysctl is an interface to view and dynamically change parameters in Linux and other *NIX operating systems. In Linux, most of the dynamic Kernel settings can be changed via sysctl. The parameters set by sysctl are also available under the virtual \/proc filesystem.<\/p>\n
How do I use sysctl?<\/p>\n
To read values you\u2019ve two options:<\/p>\n
reading parametersShell<\/p>\n
# Option 1: Using the sysctl command to read current parameters:
\nsysctl net.ipv4.ip_forward # display specific parameter
\nsysctl net.ipv4 # display all net.ipv4.* parameters
\nsysctl -a # display all parameters<\/p>\n
# Option 2: Using the \/proc filesystem:
\ncat \/proc\/sys\/net\/ipv4\/ip_forward<\/p>\n
# Option 1: Using the sysctl command to read current parameters:
\nsysctl net.ipv4.ip_forward # display specific parameter
\nsysctl net.ipv4 # display all net.ipv4.* parameters
\nsysctl -a # display all parameters<\/p>\n
# Option 2: Using the \/proc filesystem:
\ncat \/proc\/sys\/net\/ipv4\/ip_forward
\nTo write values you can use both options again:<\/p>\n
changing parametersShell<\/p>\n
# Option 1: Using the sysctl command to change a parameter:
\nsysctl net.ipv4.ip_forward=1<\/p>\n
# Option 2: Using the \/proc filesystem to change a parameter:
\necho 1 >\/proc\/sys\/net\/ipv4\/ip_forward
\n1
\n2
\n3
\n4
\n5
\n# Option 1: Using the sysctl command to change a parameter:
\nsysctl net.ipv4.ip_forward=1<\/p>\n
# Option 2: Using the \/proc filesystem to change a parameter:
\necho 1 >\/proc\/sys\/net\/ipv4\/ip_forward
\nHowever, these parameters are not persistent. You\u2019ve to configure them in \/etc\/sysctl.conf or \/etc\/sysctl.d\/* if you want them active after a reboot.<\/p>\n
sysctl configuration files<\/p>\n
\/etc\/sysctl.conf
\n\/etc\/sysctl.d\/
\n1
\n2
\n\/etc\/sysctl.conf
\n\/etc\/sysctl.d\/
\nPlease note that configuration changes will not be detected automatically. You\u2019ve to trigger the reload manually:<\/p>\n
reload sysctl configuration fileShell<\/p>\n
sysctl -p [filename]
\n1
\nsysctl -p [filename]
\nTuning Linux with sysctl<\/p>\n
Kernel<\/p>\n
To automatically reboot a system after a kernel panic, you can set the following parameter to the amount of seconds to wait before reboot:<\/p>\n
reboot system after kernel panicShell<\/p>\n
kernel.panic = 60<\/p>\n
kernel.panic = 60
\nLinux Kernels provide a magic SysRq key, which allows the user to perform low-level commands regardless of the systems state. To enable this magic key you\u2019ve to set:<\/p>\n
enable magic SysRq keyShell<\/p>\n
kernel.sysrq = 1<\/p>\n
kernel.sysrq = 1
\nTo make sure core dumps will always be written set the following parameter:<\/p>\n
write core dumpsShell<\/p>\n
fs.suid_dumpable = 2<\/p>\n
fs.suid_dumpable = 2
\nIt can be useful to have the PID appended on the filename of core dumps. This can be especially useful for debugging multi-threaded applications and it\u2019s easy to setup:<\/p>\n
add PID to core dumpsShell<\/p>\n
kernel.core_uses_pid = 1<\/p>\n
kernel.core_uses_pid = 1
\nTo increase the maximum number of used process IDs you can define the following parameter:<\/p>\n
increase maximum PIDShell<\/p>\n
kernel.pid_max = 65536<\/p>\n
kernel.pid_max = 65536
\nMemory<\/p>\n
To tune the memory (VM) behaviour in Linux, you can set some vm.* parameters.<\/p>\n
For example to tell the Kernel how aggressively memory pages should be written to disk (aka swapping), you\u2019ve to change the swappiness value. The higher the value, the more aggressive the swapping:<\/p>\n
swappinessShell<\/p>\n
vm.swappiness
\n1
\nvm.swappiness
\nWhen you look at filesystems then most of the time some kind of cache is involved. The amount of filesystem cache is based on the percentage of total available memory. To set the maximum amount of filesystem cache can be defined with:<\/p>\n
maximum filesystem cacheShell<\/p>\n
vm.dirty_ratio = 40<\/p>\n
vm.dirty_ratio = 40
\nWhen the defined percentage of memory is reached, then all I\/O writes are blocked until enough dirty pages have been flushed to disk by pdflush. This is quite suboptimal because on a healthy system you don\u2019t want to have blocked I\/O writes at all. Therefor there\u2019s another parameter, which defines the minimal percentage of dirty memory before the background pdflush process starts to flush out dirty memory pages:<\/p>\n
background filesystem cache flushesShell<\/p>\n
vm.dirty_background_ratio = 10<\/p>\n
vm.dirty_background_ratio = 10
\nAs already described before, pdflush is in charge of flushing dirty pages to disk. So you can optionally change the flush interval by setting the following parameter (in hundredths of seconds, e.g. 500 = 5s):<\/p>\n
pdflush intervalShell<\/p>\n
vm.dirty_writeback_centisecs = 500<\/p>\n
vm.dirty_writeback_centisecs = 500
\nOf course pdflush needs to know when data can be removed from cache. Sometimes it makes sense to increase the time how long \u201cuntouched\u201d data lives be in the cache before it\u2019s marked as expired. Just overwrite the following parameter (again in hundredths of seconds):<\/p>\n
pdflush intervalShell<\/p>\n
vm.dirty_expire_centiseconds = 3000<\/p>\n
vm.dirty_expire_centiseconds = 3000
\nIf you want to have more informations about the memory on your system, just have a look at:<\/p>\n
display memory informationsShell<\/p>\n
cat \/proc\/meminfo<\/p>\n
cat \/proc\/meminfo
\nFilesystem<\/p>\n
To increase the maximum amount of file descriptors you can use.<\/p>\n
increase maximum filedescriptorsShell<\/p>\n
fs.file-max = 65535<\/p>\n
fs.file-max = 65535
\nExec Shield<\/p>\n
Exec Shield is a protection against worms and other automated remote attacks on Linux systems. It was invented by Red Hat in 2002. To enable Exec Shield:<\/p>\n
enable Exec Shield protectionShell<\/p>\n
kernel.exec-shield = 1
\nkernel.randomize_va_space = 1<\/p>\n
kernel.exec-shield = 1
\nkernel.randomize_va_space = 1
\nNetwork Core<\/p>\n
Some applications are configured for performance and sometimes an application can handle huge buffers. To increase the maximum buffer size for all sockets \/ connections (this will affect all buffers, e.g. net.ipv4.tcp_rmem) you can use:<\/p>\n
increase max buffer sizeShell<\/p>\n
net.core.rmem_max = 8388608
\nnet.core.wmem_max = 8388608<\/p>\n
net.core.rmem_max = 8388608
\nnet.core.wmem_max = 8388608
\nWhen a system is under heavy load and an interface receives a lot of packets, then the Kernel might not process them fast enough. You can increase the number of packets hold in the queue (backlog) by changing:<\/p>\n
increase maximum backlog size for net devicesShell<\/p>\n
net.core.netdev_max_backlog = 5000<\/p>\n
net.core.netdev_max_backlog = 5000
\nIPv4<\/p>\n
First of all we recommend you tune ICMP a bit. You can do that by ignoring ICMP broadcasts, which will protect you from ICMP floods. We also ignore bogus responses to broadcast frames (violation against RFC1122), so that our log isn\u2019t full of Kernel warnings:<\/p>\n
hardening ICMPShell<\/p>\n
net.ipv4.icmp_echo_ignore_broadcasts = 1
\nnet.ipv4.icmp_ignore_bogus_error_responses = 1<\/p>\n
net.ipv4.icmp_echo_ignore_broadcasts = 1
\nnet.ipv4.icmp_ignore_bogus_error_responses = 1
\nSYN floods are a type of DDoS and can harm your system. To protect from it you should enable SYN cookies, resize the SYN backlog (queue size) and reduce SYN\/ACK retries:<\/p>\n
enable SYN cookiesShell<\/p>\n
# Turn on SYN cookies to protect from SYN flood attacks.
\nnet.ipv4.tcp_syncookies = 1
\nnet.ipv4.tcp_max_syn_backlog = 2048
\nnet.ipv4.tcp_synack_retries = 3<\/p>\n
# Turn on SYN cookies to protect from SYN flood attacks.
\nnet.ipv4.tcp_syncookies = 1
\nnet.ipv4.tcp_max_syn_backlog = 2048
\nnet.ipv4.tcp_synack_retries = 3
\nTo log packets with impossible addresses simply enable:<\/p>\n
log impossible IPv4 addressesShell<\/p>\n
net.ipv4.conf.all.log_martians = 1
\nnet.ipv4.conf.default.log_martians = 1<\/p>\n
net.ipv4.conf.all.log_martians = 1
\nnet.ipv4.conf.default.log_martians = 1
\nTo disable IP source routing (SRR), so that nobody can tell us which path a packet should take:<\/p>\n
deny packets with SRR optionShell<\/p>\n
net.ipv4.conf.all.accept_source_route = 0
\nnet.ipv4.conf.default.accept_source_route = 0<\/p>\n
net.ipv4.conf.all.accept_source_route = 0
\nnet.ipv4.conf.default.accept_source_route = 0
\nBy default, routers router everything and even packages which don\u2019t belong to their network(s). To avoid that we\u2019ve to make sure strict reverse path filtering is enabled as defined in RFC3704:<\/p>\n
enable strict reverse path filteringShell<\/p>\n
net.ipv4.conf.all.rp_filter = 1
\nnet.ipv4.conf.default.rp_filter = 1<\/p>\n
net.ipv4.conf.all.rp_filter = 1
\nnet.ipv4.conf.default.rp_filter = 1
\nSome applications support higher read and write buffers for sockets. The buffer size parameters are defined by 3 values (min, default, max). To increase the maximum buffer set:<\/p>\n
increase max TCP buffer sizeShell<\/p>\n
net.ipv4.tcp_rmem = 4096 87380 8388608
\nnet.ipv4.tcp_wmem = 4096 87380 8388608<\/p>\n
net.ipv4.tcp_rmem = 4096 87380 8388608
\nnet.ipv4.tcp_wmem = 4096 87380 8388608
\nTo get better throughput in a network, it might make sense to enable TCP window scaling as defined in RFC1323:<\/p>\n
enable TCP window scalingShell<\/p>\n
net.ipv4.tcp_window_scaling = 1<\/p>\n
net.ipv4.tcp_window_scaling = 1
\nDisable (ICMP) redirects at all. Please note that the send_redirects parameters should be enabled on routers:<\/p>\n
disable redirectsShell<\/p>\n
net.ipv4.conf.all.accept_redirects = 0
\nnet.ipv4.conf.default.accept_redirects = 0
\nnet.ipv4.conf.all.secure_redirects = 0
\nnet.ipv4.conf.default.secure_redirects = 0
\nnet.ipv4.conf.all.send_redirects = 0 # Don’t disable this on routers!
\nnet.ipv4.conf.default.send_redirects = 0 # Don’t disable this on routers!<\/p>\n
net.ipv4.conf.all.accept_redirects = 0
\nnet.ipv4.conf.default.accept_redirects = 0
\nnet.ipv4.conf.all.secure_redirects = 0
\nnet.ipv4.conf.default.secure_redirects = 0
\nnet.ipv4.conf.all.send_redirects = 0 # Don’t disable this on routers!
\nnet.ipv4.conf.default.send_redirects = 0 # Don’t disable this on routers!
\nFinally disable IPv4 forwarding on non-routing systems:<\/p>\n
disable forwardingShell<\/p>\n
net.ipv4.ip_forward = 0<\/p>\n
net.ipv4.ip_forward = 0
\nIPv6<\/p>\n
Those who don\u2019t use IPv6 at all should disable it:<\/p>\n
disable IPv6Shell<\/p>\n
net.ipv6.conf.all.disable_ipv6 = 1<\/p>\n
net.ipv6.conf.all.disable_ipv6 = 1
\nIf you\u2019re already using IPv6 you might be interested in the following parameters.<\/p>\n
On non-routing systems you should disable router solicitations:<\/p>\n
disable router solicitationsShell<\/p>\n
net.ipv6.conf.default.router_solicitations = 0
\nnet.ipv6.conf.all.router_solicitations = 0<\/p>\n
net.ipv6.conf.default.router_solicitations = 0
\nnet.ipv6.conf.all.router_solicitations = 0
\nYou should also don\u2019t accept routing preferences from router advertisements:<\/p>\n
disable router preferences in RAShell<\/p>\n
net.ipv6.conf.default.accept_ra_rtr_pref = 0
\nnet.ipv6.conf.all.accept_ra_rtr_pref = 0<\/p>\n
net.ipv6.conf.default.accept_ra_rtr_pref = 0
\nnet.ipv6.conf.all.accept_ra_rtr_pref = 0
\nDon\u2019t try to learn prefix information in router advertisements:<\/p>\n
don’t learn prefix informations in RAShell<\/p>\n
net.ipv6.conf.default.accept_ra_pinfo = 0
\nnet.ipv6.conf.all.accept_ra_pinfo = 0<\/p>\n
net.ipv6.conf.default.accept_ra_pinfo = 0
\nnet.ipv6.conf.all.accept_ra_pinfo = 0
\nDon\u2019t accept hop limits from router advertisements:<\/p>\n
don’t accept hop limits from RAShell<\/p>\n
net.ipv6.conf.default.accept_ra_defrtr = 0
\nnet.ipv6.conf.all.accept_ra_defrtr = 0<\/p>\n
net.ipv6.conf.default.accept_ra_defrtr = 0
\nnet.ipv6.conf.all.accept_ra_defrtr = 0
\nDisable IPv6 auto configuration, so that no unicast addresses can automatically be configured on your interface from a router advertisement:<\/p>\n
disable auto configuration from RAShell<\/p>\n
net.ipv6.conf.default.autoconf = 0
\nnet.ipv6.conf.all.autoconf = 0<\/p>\n
net.ipv6.conf.default.autoconf = 0
\nnet.ipv6.conf.all.autoconf = 0
\nIf you don\u2019t want your system to be verbose about its neighbours, you should disable neighbour solicitations at all:<\/p>\n
disable auto configuration from RAShell<\/p>\n
net.ipv6.conf.default.dad_transmits = 0
\nnet.ipv6.conf.all.dad_transmits = 0<\/p>\n
net.ipv6.conf.default.dad_transmits = 0
\nnet.ipv6.conf.all.dad_transmits = 0
\nUnless you need more than one global unicast address, you should fix the number of assigned global unicast addresses per interface to 1:<\/p>\n
disable auto configuration from RAShell<\/p>\n
net.ipv6.conf.default.max_addresses = 1
\nnet.ipv6.conf.all.max_addresses = 1<\/p>\n
net.ipv6.conf.default.max_addresses = 1
\nnet.ipv6.conf.all.max_addresses = 1
\n.all & .default<\/p>\n
A lot of sysctl parameters have several values, because there\u2019s a .default, .all and sometimes even a . According to a comment on the linux-kernel mailing list, there\u2019s one major difference:<\/p>\n The default value will only be applied ONCE, at the point when an interface is created. For example there are parameters where all settings need to be 1 (aka AND), where only one of the settings need to be 1 (aka OR) or where the highest value will be used (aka MAX).<\/p>\n So it\u2019s important to know that existing interfaces might have a different value than the one you\u2019ve set as default or all.<\/p>\n","protected":false},"excerpt":{"rendered":" What is sysctl?<\/p>\n sysctl is an interface to view and dynamically change parameters in Linux and other *NIX operating systems. In Linux, most of the dynamic Kernel settings can be changed via sysctl. The parameters set by sysctl are also available under the virtual \/proc filesystem.<\/p>\n How do I use sysctl?<\/p>\n To read values you\u2019ve […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5904"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5904"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5904\/revisions"}],"predecessor-version":[{"id":5905,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5904\/revisions\/5905"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nThe all value will ALWAYS applied in addition.
\nThis means when an interface is created, the default value will be applied to it once. However, you can overwrite that with the interface-specific parameter. The global .all parameter will always be applied in addition and in the end it depends of the logical operator how the \u201cfinal value\u201d looks like.<\/p>\n