GIT – Linux kernel sysctl : How do I set advanced security options of the TCP/IP stack and virtual memory to improve security and performance of my system? How do I configure Linux kernel to prevent certain kinds of attacks using /etc/sysctl.conf? How do I set Linux kernel parameters? 1. sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as: Limit network-transmitted configuration for IPv4 Limit network-transmitted configuration for IPv6 Turn on execshield protection Prevent against the common ‘syn flood attack’ Turn on source IP address verification Prevents a cracker from using a spoofing attack against the IP address of the server. Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects. sysctl command The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter: # sysctl -a # sysctl -A # sysctl mib # sysctl net.ipv4.conf.all.rp_filterTo load settings, enter: # sysctl -pSample /etc/sysctl.conf Edit /etc/sysctl.conf and update it as follows. The file is documented with comments. However, I recommend reading the official Linux kernel sysctl tuning help file (see below): # The following is suitable for dedicated web server, mail, ftp server etc. # --------------------------------------- # BOOLEAN Values: # a) 0 (zero) - disabled / no / false # b) Non zero - enabled / yes / true # -------------------------------------- # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1 # Controls the use of TCP syncookies #net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 2 ########## IPv4 networking start ############## # Send redirects, if router, but this is just server net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Accept packets with SRR option? No net.ipv4.conf.all.accept_source_route = 0 # Accept Redirects? No, this is not router net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 # Log packets with impossible addresses to kernel log? yes net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast net.ipv4.icmp_echo_ignore_broadcasts = 1 # Prevent against the common 'syn flood attack' net.ipv4.tcp_syncookies = 1 # Enable source validation by reversed path, as specified in RFC1812 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 ########## IPv6 networking start ############## # Number of Router Solicitations to send until assuming no routers are present. # This is host and not router net.ipv6.conf.default.router_solicitations = 0 # Accept Router Preference in RA? net.ipv6.conf.default.accept_ra_rtr_pref = 0 # Learn Prefix Information in Router Advertisement net.ipv6.conf.default.accept_ra_pinfo = 0 # Setting controls whether the system will accept Hop Limit settings from a router advertisement net.ipv6.conf.default.accept_ra_defrtr = 0 #router advertisements can cause the system to assign a global unicast address to an interface net.ipv6.conf.default.autoconf = 0 #how many neighbor solicitations to send out per address? net.ipv6.conf.default.dad_transmits = 0 # How many global unicast IPv6 addresses can be assigned to each interface? net.ipv6.conf.default.max_addresses = 1 ########## IPv6 networking ends ############## #Enable ExecShield protection kernel.exec-shield = 1 kernel.randomize_va_space = 1 # TCP and memory optimization # increase TCP max buffer size setable using setsockopt() #net.ipv4.tcp_rmem = 4096 87380 8388608 #net.ipv4.tcp_wmem = 4096 87380 8388608 # increase Linux auto tuning TCP buffer limits #net.core.rmem_max = 8388608 #net.core.wmem_max = 8388608 #net.core.netdev_max_backlog = 5000 #net.ipv4.tcp_window_scaling = 1 # increase system file descriptor limit fs.file-max = 65535 #Allow for more PIDs kernel.pid_max = 65536 #Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000Read more at ip sysctl 2. Linux Increase The Maximum Number Of Open Files / File Descriptors (FD) ( Linux kernel sysctl ) How do I increase the maximum number of open files under CentOS Linux? How do I open more file descriptors under Linux? The ulimit command provides control over the resources available to the shell and/or to processes started by it, on systems that allow such control. The maximum number of open file descriptors displayed with following command (login as the root user). Command To List Number Of Open File Descriptors Use the following command command to display maximum number of open file descriptors: cat /proc/sys/fs/file-maxOutput: 7500075000 files normal user can have open in single login session. To see the hard and soft values, issue the command as follows: # ulimit -Hn # ulimit -SnTo see the hard and soft values for httpd or oracle user, issue the command as follows: # su - usernameIn this example, su to oracle user, enter: # su - oracle $ ulimit -Hn $ ulimit -SnSystem-wide File Descriptors (FD) Limits The number of concurrently open file descriptors throughout the system can be changed via /etc/sysctl.conf file under Linux operating systems. The Number Of Maximum Files Was Reached, How Do I Fix This Problem? Many application such as Oracle database or Apache web server needs this range quite higher. So you can increase the maximum number of open files by setting a new value in kernel variable /proc/sys/fs/file-max as follows (login as the root): # sysctl -w fs.file-max=100000Above command forces the limit to 100000 files. You need to edit /etc/sysctl.conf file and put following line so that after reboot the setting will remain as it is: # vi /etc/sysctl.conf Append a config directive as follows: fs.file-max = 100000Save and close the file. Users need to log out and log back in again to changes take effect or just type the following command: # sysctl -pVerify your settings with command: # cat /proc/sys/fs/file-maxOR # sysctl fs.file-maxUser Level FD Limits The above procedure sets system-wide file descriptors (FD) limits. However, you can limit httpd (or any other users) user to specific limits by editing /etc/security/limits.conf file, enter: # vi /etc/security/limits.confSet httpd user soft and hard limits as follows: httpd soft nofile 4096 httpd hard nofile 10240Save and close the file. To see limits, enter: # su - httpd $ ulimit -Hn $ ulimit -Sn3.Making changes to /proc filesystem permanently ( Linux kernel sysctl ) Q. How do I make changes to /proc filesystem permanently? For example I want to se fs.file-max to 65536, I can use command echo “65536″ > /proc/sys/fs/file-max. But, after rebooting my Linux server this value will be reset to the default. How do I make it permanent? A. You are right. You are using sysctl. It is used to modify kernel parameters at runtime. The parameters available are those listed under /proc/sys/. You need to use /etc/sysctl.conf file, which is a simple file containing sysctl values to be read in and set by sysctl. This is a configuration file for setting system variables. So all you have to do is add variable = value in /etc/sysctl.conf file. So the changes remains the permanent. Example For example, above command echo “65536″ > /proc/sys/fs/file-max, should be added as follows: # vi /etc/sysctl.confAppend following line: /proc/sys/fs/file-max = 65536Save the file. Here is my sample sysctl.conf file: net.ipv4.ip_forward = 1 kernel.shmall = 2097152 kernel.shmmax = 2147483648 kernel.shmmni = 4096 kernel.sem = 250 32000 100 128 fs.file-max = 65536 net.ipv4.ip_local_port_range = 1024 65000To Load in sysctl settings from the file specified or /etc/sysctl.conf immediately type following command: # sysctl -p4.Find Out How Many File Descriptors Are Being Used ( Linux kernel sysctl ) While administrating a box, you may wanted to find out what a processes is doing and find out how many file descriptors (fd) are being used. You will surprised to find out that process does open all sort of files: => Actual log file => /dev files => UNIX Sockets => Network sockets => Library files /lib /lib64 => Executables and other programs etc In this quick post, I will explain how to to count how many file descriptors are currently in use on your Linux server system. Step # 1 Find Out PID To find out PID for mysqld process, enter: # ps aux | grep mysqldOR # pidof mysqldOutput: 28290Step # 2 List File Opened By a PID # 28290 Use the lsof command or /proc/$PID/ file system to display open fds (file descriptors), run: # lsof -p 28290 # lsof -a -p 28290OR # cd /proc/28290/fd # ls -l | lessYou can count open file, enter: # ls -l | wc -lTip: Count All Open File Handles To count the number of open file handles of any sort, type the following command: # lsof | wc -lSample outputs: 5436List File Descriptors in Kernel Memory Type the following command: # sysctl fs.file-nrSample outputs: fs.file-nr = 1020 0 70000Where, 1020 The number of allocated file handles. 0 The number of unused-but-allocated file handles. 70000 The system-wide maximum number of file handles. You can use the following to find out or set the system-wide maximum number of file handles: # sysctl fs.file-maxSample outputs: fs.file-max = 70000More about /proc/PID/file & procfs File System /proc (or procfs) is a pseudo-file system that it is dynamically generated after each reboot. It is used to access kernel information. procfs is also used by Solaris, BSD, AIX and other UNIX like operating systems. Now, you know how many file descriptors are being used by a process. You will find more interesting stuff in /proc/$PID/file directory: /proc/PID/cmdline : process arguments /proc/PID/cwd : process current working directory (symlink) /proc/PID/exe : path to actual process executable file (symlink) /proc/PID/environ : environment used by process /proc/PID/root : the root path as seen by the process. For most processes this will be a link to / unless the process is running in a chroot jail. /proc/PID/status : basic information about a process including its run state and memory usage. /proc/PID/task : hard links to any tasks that have been started by this (the parent) process. 6.Basic Settings in /etc/sysctl.conf Harden /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Enterprise Linux # Controls IP packet forwarding net.ipv4.ip_forward = 0# Controls source route verification net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1# Disables IP source routing net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_source_route = 0# Controls the System Request debugging functionality of the kernel kernel.sysrq = 0# Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1# Increase maximum amount of memory allocated to shm # Only uncomment if needed! # kernel.shmmax = 67108864# Disable ICMP Redirect Acceptance net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.accept_redirects = 0# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.all.log_martians = 1# Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 25# Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1200# Turn on the tcp_window_scaling net.ipv4.tcp_window_scaling = 1# Turn on the tcp_sack net.ipv4.tcp_sack = 1# tcp_fack should be on because of sack net.ipv4.tcp_fack = 1# Turn on the tcp_timestamps net.ipv4.tcp_timestamps = 1# Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1# Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1# Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1# Make more local ports available net.ipv4.ip_local_port_range = 1024 65000# Set TCP Re-Ordering value in kernel to ‘5′ net.ipv4.tcp_reordering = 5# Lower syn retry rates net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 3# Set Max SYN Backlog to ‘2048′ net.ipv4.tcp_max_syn_backlog = 2048# Various Settings net.core.netdev_max_backlog = 1024# Increase the maximum number of skb-heads to be cached net.core.hot_list_length = 256# Increase the tcp-time-wait buckets pool size net.ipv4.tcp_max_tw_buckets = 360000# This will increase the amount of memory available for socket input/output queues net.core.rmem_default = 65535 net.core.rmem_max = 8388608 net.ipv4.tcp_rmem = 4096 87380 8388608 net.core.wmem_default = 65535 net.core.wmem_max = 8388608 net.ipv4.tcp_wmem = 4096 65535 8388608 net.ipv4.tcp_mem = 8388608 8388608 8388608 net.core.optmem_max = 40960After you make the changes to the file, you can make them effective immediately by typing in /sbin/sysctl -p Also, you will need to issue /sbin/sysctl -w net.ipv4.route.flush=1 to flush the routing table to make some of these changes happen instantly.