Sysctl.conf (Wheezy)

This is the commented sysctl.conf I use on my Debian Wheezy servers. Keep in mind that some of the values here are based on the size of the server. For example, my main webserver has 24 gigs reserved for huge pages, this document has four, I have since increased it to eight on the machine in question. Your mileage will vary.

/etc/sysctl.conf
#
 * 1) /etc/sysctl.conf - Configuration file for setting system variables
 * 2) See /etc/sysctl.d/ for additonal system variables
 * 3) See sysctl.conf (5) for information.


 * 1) kernel.domainname = example.com


 * 1) Uncomment the following to stop low-level messages on console
 * 2) kernel.printk = 3 4 1 3

kernel.sysrq = 0
 * 1) Disables the magic SysRq key

kernel.core_pattern = /tmp/core-%e.%p
 * 1) So we know where they are when we need them
 * 2) You want this if you are doing a lot of crap. Hunting down core
 * 3) files can be extremely annoying.

kernel.shmmax=34359738368 kernel.shmall=8388608
 * 1) Allow high shared memory values for hugepages
 * 2) shmmax is in bytes, shmall is in pages (typically 4k for x86 procs)
 * 3) This sets these values to 16 gigs, but you may need to increase this
 * 4) Note: This has been depreciated. Remaining here for posterity.

vm.hugetlb_shm_group = 72
 * 1) Set our hugepage group, which is the new way to do it.
 * 1) You will want to add the group for this accordingly, e.g.
 * 2) addgroup --gid 72 hugepager
 * 3) and then add appropriate users (mysql most likely) to said group.


 * 1) Maximum number of open files permitted. Commented out as you probably
 * 2) will not want it, but the default value has caused me trouble before,
 * 3) so highlighting it here.
 * 4) fs.file-max = 524288

vm.nr_hugepages = 2176
 * 1) Each hugepage is 2 megabytes. This reserves 4 gigs + change.
 * 2) MySQL will want enough for the InnoDB data buffer, the MyISAM Key buffer, and
 * 3) a couple of other buffers. Other programs will also want their own.

vm.swappiness = 0
 * 1) Servers will in general want low amounts of swapping, but setting
 * 2) this to 5 or 10 is sometimes okay.


 * 1) Net.Core tweaking.

net.core.somaxconn = 65535
 * 1) The socket version of netdev_max_backlog, apparently.
 * 2) Default is 128, and the connections go both ways!
 * 3) 128 is ridiculously low.
 * 4) somaxconn cannot be set above 65535 by default.

net.core.netdev_max_backlog = 65535
 * 1) Maximum number of packets that can be stored in the buffer, if the
 * 2) system is getting more packets than the kernel can process.
 * 3) Default is 1000.

net.ipv4.ip_forward = 0
 * 1) Be default, we're probably not a router, but depending on your host you may
 * 2) need to enable ipv4 and/or ipv6 forwarding.

net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.default.forwarding = 0
 * 1)  Enabling this option disables Stateless Address Autoconfiguration
 * 2)  based on Router Advertisements for this host

net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1
 * 1) Uncomment the next two lines to enable Spoof protection (reverse-path filter)
 * 2) Turn on Source Address Verification in all interfaces to
 * 3) prevent some spoofing attacks
 * 4) Not in ipv6

net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0
 * 1) Do not accept ICMP redirects (prevent MITM attacks)
 * 1) _or_
 * 2) Accept ICMP redirects only for gateways listed in our default
 * 3) gateway list (enabled by default)
 * 1) The above are set to zero because my servers are all single-homed.

net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0
 * 1) Redirects and source routes are for routers closer to
 * 2) the middle of the Internet than most websites and their
 * 3) immediate upstream routers.
 * 4) Do not send ICMP redirects
 * 1) Do not accept IP source route packets
 * 1) Log Martian Packets

net.ipv4.tcp_syncookies=1
 * 1) See http://lwn.net/Articles/277146/
 * 2) Helps protect against SYN floods.
 * 3) On a reasonably active webserver you'll see these get turned on often.
 * 4) Note: This may impact IPv6 TCP sessions too
 * 5) Now defaults to 1. Left in for posterity.

net.ipv4.tcp_max_syn_backlog = 8192
 * 1) Being a fairly active server with memory to spare, we can increase the backlog.

net.ipv4.tcp_fin_timeout = 30
 * 1) The following is simply to free up connections a bit more aggressively.
 * 2) Sets the time to expire a connection after we send a FIN. Default is 60 seconds.

net.ipv4.tcp_tw_reuse = 1
 * 1) Allows reuse of sockets in Time Wait state.

net.ipv4.tcp_keepalive_time = 900
 * 1) Sets the time before keepalive probes start getting sent.
 * 2) Default is 7200 seconds.

net.ipv4.tcp_keepalive_intvl = 60 net.ipv4.tcp_keepalive_probes = 15
 * 1) Probes and probe interval. Default is to send up to nine probes, waiting up to
 * 2) 75 seconds for an ACK response to each probe. This is somewhat more aggressive.

net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1
 * 1) Ignore ICMP broadcasts
 * 2) These both defailt to 1


 * 1) Netfilter tweaking.

net.netfilter.nf_conntrack_acct = 1 net.netfilter.nf_conntrack_max = 131072 net.nf_conntrack_max = 131072
 * 1) Note that these might not be on a virgin install until you've run iptables. Leave them
 * 2) commented out until we have your firewall working.
 * 3) Turn on connection accounting
 * 1) conntrack_max and conntrack_buckets may need to be improved in the event of an attack.
 * 1) This doesn't work - have to set in modprobe - see the general security section.
 * 2) net.netfilter.nf_conntrack_buckets = 32768