Linux kernel sysctl

Thảo luận trong 'Góc Linux' bắt đầu bởi hautp, Thg 12 19, 2012.

  1. hautp

    hautp Well-Known Member

    GIT – Linux kernel sysctl : How do I set advanced security options of the TCP/IP stack and virtual memory to improve security and performance of my system? How do I configure Linux kernel to prevent certain kinds of attacks using /etc/sysctl.conf? How do I set Linux kernel parameters?
    1. sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:
    1. Limit network-transmitted configuration for IPv4
    2. Limit network-transmitted configuration for IPv6
    3. Turn on execshield protection
    4. Prevent against the common ‘syn flood attack’
    5. Turn on source IP address verification
    6. Prevents a cracker from using a spoofing attack against the IP address of the server.
    7. Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.
    sysctl command
    The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:
    # sysctl -a
    # sysctl -A
    # sysctl mib
    # sysctl net.ipv4.conf.all.rp_filter
    To load settings, enter:
    # sysctl -p
    Sample /etc/sysctl.conf
    Edit /etc/sysctl.conf and update it as follows. The file is documented with comments. However, I recommend reading the official Linux kernel sysctl tuning help file (see below):
    # The following is suitable for dedicated web server, mail, ftp server etc. # --------------------------------------- # BOOLEAN Values: # a) 0 (zero) - disabled / no / false # b) Non zero - enabled / yes / true # -------------------------------------- # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1 # Controls the use of TCP syncookies #net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 2 ########## IPv4 networking start ############## # Send redirects, if router, but this is just server net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Accept packets with SRR option? No net.ipv4.conf.all.accept_source_route = 0 # Accept Redirects? No, this is not router net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 # Log packets with impossible addresses to kernel log? yes net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast net.ipv4.icmp_echo_ignore_broadcasts = 1 # Prevent against the common 'syn flood attack' net.ipv4.tcp_syncookies = 1 # Enable source validation by reversed path, as specified in RFC1812 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 ########## IPv6 networking start ############## # Number of Router Solicitations to send until assuming no routers are present. # This is host and not router net.ipv6.conf.default.router_solicitations = 0 # Accept Router Preference in RA? net.ipv6.conf.default.accept_ra_rtr_pref = 0 # Learn Prefix Information in Router Advertisement net.ipv6.conf.default.accept_ra_pinfo = 0 # Setting controls whether the system will accept Hop Limit settings from a router advertisement net.ipv6.conf.default.accept_ra_defrtr = 0 #router advertisements can cause the system to assign a global unicast address to an interface net.ipv6.conf.default.autoconf = 0 #how many neighbor solicitations to send out per address? net.ipv6.conf.default.dad_transmits = 0 # How many global unicast IPv6 addresses can be assigned to each interface? net.ipv6.conf.default.max_addresses = 1 ########## IPv6 networking ends ############## #Enable ExecShield protection kernel.exec-shield = 1 kernel.randomize_va_space = 1 # TCP and memory optimization # increase TCP max buffer size setable using setsockopt() #net.ipv4.tcp_rmem = 4096 87380 8388608 #net.ipv4.tcp_wmem = 4096 87380 8388608 # increase Linux auto tuning TCP buffer limits #net.core.rmem_max = 8388608 #net.core.wmem_max = 8388608 #net.core.netdev_max_backlog = 5000 #net.ipv4.tcp_window_scaling = 1 # increase system file descriptor limit fs.file-max = 65535 #Allow for more PIDs kernel.pid_max = 65536 #Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000
    Read more at ip sysctl
    2. Linux Increase The Maximum Number Of Open Files / File Descriptors (FD) ( Linux kernel sysctl )
    How do I increase the maximum number of open files under CentOS Linux? How do I open more file descriptors under Linux?
    The ulimit command provides control over the resources available to the shell and/or to processes started by it, on systems that allow such control. The maximum number of open file descriptors displayed with following command (login as the root user).
    Command To List Number Of Open File Descriptors
    Use the following command command to display maximum number of open file descriptors:
    cat /proc/sys/fs/file-max
    75000 files normal user can have open in single login session. To see the hard and soft values, issue the command as follows:
    # ulimit -Hn
    # ulimit -Sn
    To see the hard and soft values for httpd or oracle user, issue the command as follows:
    # su - username
    In this example, su to oracle user, enter:
    # su - oracle
    $ ulimit -Hn
    $ ulimit -Sn
    System-wide File Descriptors (FD) Limits
    The number of concurrently open file descriptors throughout the system can be changed via /etc/sysctl.conf file under Linux operating systems.
    The Number Of Maximum Files Was Reached, How Do I Fix This Problem?
    Many application such as Oracle database or Apache web server needs this range quite higher. So you can increase the maximum number of open files by setting a new value in kernel variable /proc/sys/fs/file-max as follows (login as the root):
    # sysctl -w fs.file-max=100000
    Above command forces the limit to 100000 files. You need to edit /etc/sysctl.conf file and put following line so that after reboot the setting will remain as it is:
    # vi /etc/sysctl.conf

    Append a config directive as follows:

    fs.file-max = 100000
    Save and close the file. Users need to log out and log back in again to changes take effect or just type the following command:
    # sysctl -p
    Verify your settings with command:
    # cat /proc/sys/fs/file-max
    # sysctl fs.file-max
    User Level FD Limits
    The above procedure sets system-wide file descriptors (FD) limits. However, you can limit httpd (or any other users) user to specific limits by editing /etc/security/limits.conf file, enter:
    # vi /etc/security/limits.conf
    Set httpd user soft and hard limits as follows:
    httpd soft nofile 4096
    httpd hard nofile 10240
    Save and close the file. To see limits, enter:
    # su - httpd
    $ ulimit -Hn
    $ ulimit -Sn
    3.Making changes to /proc filesystem permanently ( Linux kernel sysctl )
    Q. How do I make changes to /proc filesystem permanently? For example I want to se fs.file-max to 65536, I can use command echo “65536″ > /proc/sys/fs/file-max. But, after rebooting my Linux server this value will be reset to the default. How do I make it permanent?
    A. You are right. You are using sysctl. It is used to modify kernel parameters at runtime. The parameters available are those listed under /proc/sys/.
    You need to use /etc/sysctl.conf file, which is a simple file containing sysctl values to be read in and set by sysctl. This is a configuration file for setting system variables.
    So all you have to do is add variable = value in /etc/sysctl.conf file. So the changes remains the permanent.
    For example, above command echo “65536″ > /proc/sys/fs/file-max, should be added as follows:
    # vi /etc/sysctl.conf
    Append following line:
    /proc/sys/fs/file-max = 65536
    Save the file.
    Here is my sample sysctl.conf file:

    net.ipv4.ip_forward = 1
    kernel.shmall = 2097152
    kernel.shmmax = 2147483648
    kernel.shmmni = 4096
    kernel.sem = 250 32000 100 128
    fs.file-max = 65536
    net.ipv4.ip_local_port_range = 1024 65000
    To Load in sysctl settings from the file specified or /etc/sysctl.conf immediately type following command:
    # sysctl -p
    4.Find Out How Many File Descriptors Are Being Used ( Linux kernel sysctl )
    While administrating a box, you may wanted to find out what a processes is doing and find out how many file descriptors (fd) are being used. You will surprised to find out that process does open all sort of files:
    => Actual log file

    => /dev files
    => UNIX Sockets
    => Network sockets
    => Library files /lib /lib64
    => Executables and other programs etc
    In this quick post, I will explain how to to count how many file descriptors are currently in use on your Linux server system.
    Step # 1 Find Out PID
    To find out PID for mysqld process, enter:
    # ps aux | grep mysqld
    # pidof mysqld
    Step # 2 List File Opened By a PID # 28290
    Use the lsof command or /proc/$PID/ file system to display open fds (file descriptors), run:
    # lsof -p 28290
    # lsof -a -p 28290
    # cd /proc/28290/fd
    # ls -l | less
    You can count open file, enter:
    # ls -l | wc -l
    Tip: Count All Open File Handles
    To count the number of open file handles of any sort, type the following command:
    # lsof | wc -l
    Sample outputs:
    List File Descriptors in Kernel Memory
    Type the following command:
    # sysctl fs.file-nr
    Sample outputs:
    fs.file-nr = 1020 0 70000
    1. 1020 The number of allocated file handles.
    2. 0 The number of unused-but-allocated file handles.
    3. 70000 The system-wide maximum number of file handles.
    You can use the following to find out or set the system-wide maximum number of file handles:
    # sysctl fs.file-max
    Sample outputs:
    fs.file-max = 70000
    More about /proc/PID/file & procfs File System
    /proc (or procfs) is a pseudo-file system that it is dynamically generated after each reboot. It is used to access kernel information. procfs is also used by Solaris, BSD, AIX and other UNIX like operating systems. Now, you know how many file descriptors are being used by a process. You will find more interesting stuff in /proc/$PID/file directory:
    • /proc/PID/cmdline : process arguments
    • /proc/PID/cwd : process current working directory (symlink)
    • /proc/PID/exe : path to actual process executable file (symlink)
    • /proc/PID/environ : environment used by process
    • /proc/PID/root : the root path as seen by the process. For most processes this will be a link to / unless the process is running in a chroot jail.
    • /proc/PID/status : basic information about a process including its run state and memory usage.
    • /proc/PID/task : hard links to any tasks that have been started by this (the parent) process.
    6.Basic Settings in /etc/sysctl.conf
    Harden /etc/sysctl.conf
    # Kernel sysctl configuration file for Red Hat Enterprise Linux
    # Controls IP packet forwarding
    net.ipv4.ip_forward = 0
    # Controls source route verification
    net.ipv4.conf.default.rp_filter = 1
    net.ipv4.conf.all.rp_filter = 1
    # Disables IP source routing
    net.ipv4.conf.default.accept_source_route = 0
    net.ipv4.conf.all.accept_source_route = 0
    # Controls the System Request debugging functionality of the kernel
    kernel.sysrq = 0
    # Controls whether core dumps will append the PID to the core filename.
    # Useful for debugging multi-threaded applications.
    kernel.core_uses_pid = 1
    # Increase maximum amount of memory allocated to shm
    # Only uncomment if needed!
    # kernel.shmmax = 67108864
    # Disable ICMP Redirect Acceptance
    net.ipv4.conf.default.accept_redirects = 0
    net.ipv4.conf.all.accept_redirects = 0
    # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
    net.ipv4.conf.default.log_martians = 1
    net.ipv4.conf.all.log_martians = 1
    # Decrease the time default value for tcp_fin_timeout connection
    net.ipv4.tcp_fin_timeout = 25
    # Decrease the time default value for tcp_keepalive_time connection
    net.ipv4.tcp_keepalive_time = 1200
    # Turn on the tcp_window_scaling
    net.ipv4.tcp_window_scaling = 1
    # Turn on the tcp_sack
    net.ipv4.tcp_sack = 1
    # tcp_fack should be on because of sack
    net.ipv4.tcp_fack = 1
    # Turn on the tcp_timestamps
    net.ipv4.tcp_timestamps = 1
    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1
    # Enable ignoring broadcasts request
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    # Enable bad error message Protection
    net.ipv4.icmp_ignore_bogus_error_responses = 1
    # Make more local ports available
    net.ipv4.ip_local_port_range = 1024 65000
    # Set TCP Re-Ordering value in kernel to ‘5′
    net.ipv4.tcp_reordering = 5
    # Lower syn retry rates
    net.ipv4.tcp_synack_retries = 2
    net.ipv4.tcp_syn_retries = 3
    # Set Max SYN Backlog to ‘2048′
    net.ipv4.tcp_max_syn_backlog = 2048
    # Various Settings
    net.core.netdev_max_backlog = 1024
    # Increase the maximum number of skb-heads to be cached
    net.core.hot_list_length = 256
    # Increase the tcp-time-wait buckets pool size
    net.ipv4.tcp_max_tw_buckets = 360000
    # This will increase the amount of memory available for socket input/output queues
    net.core.rmem_default = 65535
    net.core.rmem_max = 8388608
    net.ipv4.tcp_rmem = 4096 87380 8388608
    net.core.wmem_default = 65535
    net.core.wmem_max = 8388608
    net.ipv4.tcp_wmem = 4096 65535 8388608
    net.ipv4.tcp_mem = 8388608 8388608 8388608
    net.core.optmem_max = 40960
    After you make the changes to the file, you can make them effective immediately by typing in /sbin/sysctl -p
    Also, you will need to issue /sbin/sysctl -w net.ipv4.route.flush=1 to flush the routing table to make some of these changes happen instantly.

Chia sẻ trang này