Introduction
There are quite a few different examples of Linux kernel configurations on the Internet to support a large number of connections, heavily loaded web projects, and counter DDoS attacks. Here is another example that I have already been able to try in practice. I will say right away – it more than helped me. Try it and you.
/etc/sysctl.conf options
There is a list of options needed to add to /etc/sysctl.conf:
net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.tcp_max_orphans = 65536 net.ipv4.tcp_fin_timeout = 10 net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.tcp_synack_retries = 1 net.ipv4.tcp_mem = 50576 64768 98152 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 net.ipv4.tcp_orphan_retries = 0 net.ipv4.tcp_syncookies = 0 net.ipv4.netfilter.ip_conntrack_max = 16777216 net.netfilter.nf_conntrack_max = 16777216 net.ipv4.tcp_timestamps = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_congestion_control = htcp net.ipv4.tcp_no_metrics_save = 1 net.ipv4.route.flush = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.ip_local_port_range = 1024 65535 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rfc1337 = 1 net.ipv4.ip_forward = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_echo_ignore_all = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.core.somaxconn = 65535 net.core.netdev_max_backlog = 1000 net.core.rmem_default = 65536 net.core.wmem_default = 65536 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 fs.inotify.max_user_watches = 16777216
And now about each option in more detail.
net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.all.send_redirects = 0
Do not accept or send ICMP redirect packets. ICMP redirects can be used by an attacker to modify routing tables. It is advisable to set it to “0 ″. The unit only makes sense for hosts used as routers.
net.ipv4.tcp_max_orphans = 65536
The integer value of the tcp_max_orphans parameter determines the maximum number of valid TCP sockets in the system that are not connected by any user filehandle. When the threshold value is reached, orphan compounds are immediately reset with a warning. This threshold helps prevent only simple DoS attacks. You should not reduce the threshold value (rather increase it in accordance with the requirements of the system, for example, after adding memory. Each orphan connection absorbs about 64 Kbytes of unswappable memory).
net.ipv4.tcp_fin_timeout
net.ipv4.tcp_fin_timeout = 10
The tcp_fin_timeout parameter determines the time when the socket remains in the FIN-WAIT-2 state after it is closed by the local side. The partner may never close this connection, so you should close it on your own initiative after a timeout. By default, the timeout is 60 seconds. In the 2.2 series cores, a value of 180 seconds was usually used and you can save this value, but you should not forget that on loaded WEB servers you run the risk of consuming a lot of memory to save half-broken dead connections. Sockets in the FIN-WAIT-2 state are less dangerous than FIN-WAIT-1 because they absorb no more than 1.5 Kbytes of memory, but they can last longer.
tcp keepalive time
net.ipv4.tcp_keepalive_time = 1800 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 5
tcp_keepalive_time The variable determines how often the connection should be checked if it has not been used for a long time. The value of the variable makes sense only for those sockets that were created with the SO_KEEPALIVE flag. The integer variable tcp_keepalive_intvl defines the sampling interval. The product tcp_keepalive_probes * tcp_keepalive_intvl determines the time after which the connection will be disconnected if there are no responses. By default, the interval is 75 seconds, i.e., the time of disconnection in the absence of responses will be approximately 11 minutes.
net.ipv4.tcp_max_syn_backlog = 4096
The integer value in the tcp_max_syn_backlog file defines the maximum number of remembered connection requests for which no confirmation has been received from the connecting client. If overload occurs on the server, you can try to increase this value.
net.ipv4.tcp_synack_retries = 1
The integer value (1 byte) tcp_synack_retries determines the number of retry attempts to transmit SYNACK packets for passive TCP connections. The number of attempts should not exceed 255. A value of 5 corresponds to approximately 180 seconds for attempting to establish a connection.
net.ipv4.tcp_mem
net.ipv4.tcp_mem = 50576 64768 98152
The vector (minimum, load mode, maximum) variable in the tcp_mem file contains general memory consumption settings for the TCP protocol. This variable is measured in pages (usually 4kb), not bytes.
Minimum: while the total memory size for TCP protocol structures is less than this number of pages, the operating system does nothing.
Load mode: as soon as the number of memory pages allocated for the TCP protocol reaches this value, the load mode is activated, in which the operating system tries to limit the allocation of memory. This mode is maintained until the memory consumption reaches the minimum level again.
Maximum: The maximum number of memory pages allowed for all TCP sockets.
net.ipv4.tcp_rmem
net.ipv4.tcp_rmem = 4096 87380 16777216
The vector (minimum, default, maximum) variable in the tcp_rmem file contains 3 integers that determine the size of the TCP socket receive buffer.
Minimum: each TCP socket has the right to use this memory upon its creation. The ability to use such a buffer is guaranteed even when the threshold of the limit (moderate memory pressure) is reached. The default minimum buffer size is 8 KB (8192).
Default value: The amount of memory allowed for the default TCP socket transfer buffer. This value is used instead of the /proc/sys/net/core/rmem_default parameter used by other protocols. The default buffer value (usually) is 87830 bytes. This determines the window size of 65535 with the default value of tcp_adv_win_scale and tcp_app_win = 0, somewhat smaller than the default value of tcp_app_win.
Maximum: The maximum buffer size can be automatically allocated to receive a TCP socket. This value does not cancel the maximum specified in the /proc/sys/net/core/rmem_max file. With “static” memory allocation using SO_RCVBUF, this parameter does not matter.
net.ipv4.tcp_wmem
net.ipv4.tcp_wmem = 4096 65536 16777216
The vector variable in the tcp_wmem file contains 3 integer values that define the minimum, default, and maximum amount of memory reserved for TCP socket transfer buffers.
Minimum: each TCP socket has the right to use this memory upon its creation. The default minimum buffer size is 4 KB (4096)
Default value: The amount of memory allowed for the default TCP socket transfer buffer. This value is used instead of the /proc/sys/net/core/wmem_default parameter used by other protocols and is usually less than /proc/sys/net/core/wmem_default. The size of the default buffer is usually (default) 16 Kbytes (16384).
Maximum: The maximum amount of memory that can be automatically allocated for the TCP socket transmission buffer. This value does not override the maximum specified in the /proc/sys/net/core/wmem_max file. With “static” memory allocation using SO_SNDBUF, this parameter does not matter.
net.ipv4.tcp_orphan_retries = 0
The integer value tcp_orphan_retries determines the number of failed attempts, after which the TCP connection that is closed on the local side is destroyed. The default value is 7, which corresponds to approximately a period of 50 seconds to 16 minutes, depending on the RTO. On heavily loaded WEB-servers it makes sense to reduce the value of this parameter since closed connections can consume a lot of resources.
net.ipv4.tcp_syncookies = 0
Related to the recommendation of kernel developers, it’s better to disable this option.
net.ipv4.netfilter.ip_conntrack_max = 16777216
The maximum number of connections for the connection tracking mechanism to work (used, for example, iptables). If the values are too small, the kernel begins to reject incoming connections with the corresponding entry in the system log.
net.ipv4.tcp_timestamps = 1
Allows TCP timestamps. Their presence allows you to control the operation of the protocol under severe loads (see tcp_congestion_control).
net.ipv4.tcp_sack = 1
Allow TCPIP support selective acknowledgment. This option is necessary for the efficient use of all available bandwidth of some networks.
net.ipv4.tcp_congestion_control = htcp
Protocol, used for load control in TCP networks. The default bic and cubic implementations contain bugs in most versions of the RedHat kernel and its clones. Using htcp is recommended.
net.ipv4.tcp_no_metrics_save = 1
Do not save TCP connection measurements in the cache when it is closed. In some cases, it helps to increase productivity.
Defense from IP-spoofing
net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1
Disable source routing
net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0
net.ipv4.ip_local_port_range
net.ipv4.ip_local_port_range = 1024 65535
Increase the range of local ports available for outgoing connections.
net.ipv4.tcp_tw_reuse = 1
We allow the reuse of TIME-WAIT sockets in cases where the protocol considers this safe.
net.ipv4.tcp_window_scaling = 1
Allow dynamic resizing of the TCP stack window.
net.ipv4.tcp_rfc1337 = 1
Defense from TIME_WAIT attack.
net.ipv4.ip_forward = 0
We prohibit packet forwarding, since we are not a router.
net.ipv4.icmp_echo_ignore_broadcasts = 1
We do not respond to ICMP ECHO requests transmitted by broadcast packets.
net.ipv4.icmp_echo_ignore_all = 1
You can not respond to ICMP ECHO requests at all (the server will not ping).
net.ipv4.icmp_ignore_bogus_error_responses = 1
We do not respond to erroneously formed messages.
net.core.somaxconn = 65535
The maximum number of open sockets waiting for a connection. It makes sense to increase the default value.
net.core.netdev_max_backlog = 1000
The parameter determines the maximum number of packets in the processing queue if the interface receives packets faster than the kernel can process them.
Memory max default
net.core.rmem_default = 65536
The default data receive buffer size for all connections.
net.core.wmem_default = 65536
The default data transfer buffer size for all connections.
net.core.rmem_max = 16777216
The maximum size of the data receive buffer for all connections.
net.core.wmem_max = 16777216
Maximum data buffer size for all connections.