{"id":54,"date":"2022-02-28T11:19:32","date_gmt":"2022-02-28T08:19:32","guid":{"rendered":"https:\/\/www.kmlsmv1.com\/?p=54"},"modified":"2022-02-28T11:19:32","modified_gmt":"2022-02-28T08:19:32","slug":"54","status":"publish","type":"post","link":"https:\/\/www.kmlsmv1.com\/?p=54","title":{"rendered":""},"content":{"rendered":"\n<pre id=\"__code_24\" class=\"wp-block-code\"><code><em># Reboot the machine soon after a kernel panic<\/em>\nkernel.panic=10\n\n<em># Controls the System Request debugging functionality of the kernel<\/em>\nkernel.sysrq = 0\n\n<em># Controls whether core dumps will append the PID to the core filename<\/em>\n<em># Useful for debugging multi-threaded applications<\/em>\nkernel.core_uses_pid = 1\n\n<em># Protects against creating or following links under certain conditions<\/em>\nfs.protected_hardlinks=1\nfs.protected_symlinks=1\n\n<em>#Enable ExecShield protection<\/em>\n<em>#Set value to 1 or 2 (recommended) <\/em>\nkernel.exec-shield = 2\nkernel.randomize_va_space=2\n\n<em># increase system file descriptor limit    <\/em>\nfs.file-max = 65535\n\n<em>#Allow for more PIDs <\/em>\nkernel.pid_max = 65536\n\n<em>#Disable zone reclaim<\/em>\nvm.zone_reclaim_mode = 0\n\n<em>#Reduce swap usage<\/em>\nvm.swappiness = 10\n\n<em>###############################################<\/em>\n<em>########## IPv4 networking start ##############<\/em>\n<em>###############################################<\/em>\n\n<em># Send redirects, if router, but this is just server<\/em>\n<em># So no routing allowed <\/em>\nnet.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\n\n<em># Accept packets with SRR option? No<\/em>\nnet.ipv4.conf.all.accept_source_route = 0\n\n<em># Accept Redirects? No, this is not router<\/em>\nnet.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.all.secure_redirects = 1\n\n<em>#Ignore bad ICMP errors<\/em>\nnet.ipv4.icmp_ignore_bogus_error_responses=1\n\n<em># Controls IP packet forwarding<\/em>\nnet.ipv4.ip_forward = 0\n\n<em># TCP window scaling tries to avoid saturating the network adapter with<\/em>\n<em># incoming packets.<\/em>\nnet.ipv4.tcp_window_scaling = 1\n\n<em># If enabled, assume that no receipt of a window-scaling option means that the<\/em>\n<em># remote TCP is broken and treats the window as a signed quantity.  If<\/em>\n<em># disabled, assume that the remote TCP is not broken even if we do not receive<\/em>\n<em># a window scaling option from it.<\/em>\nnet.ipv4.tcp_workaround_signed_windows = 1\n\n<em># TCP SACK and FACK refer to options found in RFC 2018 and are also documented<\/em>\n<em># back to Linux Kernel 2.6.17 with an experimental \"TCP-Peach\" set of<\/em>\n<em># functions. These are meant to get you your data without excessive losses.<\/em>\nnet.ipv4.tcp_sack = 1\nnet.ipv4.tcp_fack = 1\n\n<em># The latency setting is 1 if you prefer more packets vs bandwidth, or 0 if you<\/em>\n<em># prefer bandwidth. More packets are ideal for things like Remote Desktop and<\/em>\n<em># VOIP: less for bulk downloading.<\/em>\n<em>#net.ipv4.tcp_low_latency = 0<\/em>\n\n<em># I found RFC 2923, which is a good review of PMTU. IPv6 uses PMTU by default<\/em>\n<em># to avoid segmenting packets at the router level, but its optional for<\/em>\n<em># IPv4. PMTU is meant to inform routers of the best packet sizes to use between<\/em>\n<em># links, but its a common admin practice to block ICMP ports that allow<\/em>\n<em># pinging, thus breaking this mechanism. Linux tries to use it, and so do I: if<\/em>\n<em># you have problems, you have a problem router, and can change the \"no\" setting<\/em>\n<em># to 1. \"MTU probing\" is also a part of this: 1 means try, and 0 means don't.<\/em>\n<em>#net.ipv4.ip_no_pmtu_disc = 0<\/em>\n<em>#net.ipv4.tcp_mtu_probing = 1<\/em>\n\n<em># FRTO is a mechanism in newer Linux kernels to optimize for wireless hosts:<\/em>\n<em># use it if you have them; delete the setting, or set to 0, if you don't.<\/em>\n<em>#net.ipv4.tcp_frto = 2<\/em>\n<em>#net.ipv4.tcp_frto_response = 2<\/em>\n\n<em># Log packets with impossible addresses to kernel log? yes<\/em>\nnet.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.accept_source_route = 0\nnet.ipv4.conf.default.accept_redirects = 0\nnet.ipv4.conf.default.secure_redirects = 0\n\n<em># Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast\/multicast<\/em>\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\n\n<em>#Increase system IP port limits<\/em>\nnet.ipv4.ip_local_port_range = 15000 65000\n\n<em># Disable TCP slow start on idle connections<\/em>\nnet.ipv4.tcp_slow_start_after_idle = 0\n\n<em># Enable TCP\/IP SYN cookies, see http:\/\/lwn.net\/Articles\/277146\/<\/em>\n<em># Note: This may impact IPv6 TCP sessions too.<\/em>\nnet.ipv4.tcp_syncookies = 1\nnet.ipv4.tcp_synack_retries = 2\nnet.ipv4.tcp_syn_retries = 5\n\n<em># Enable source validation by reversed path, as specified in RFC1812, which<\/em>\n<em># turn on Source Address Verification in all interfaces to prevent some<\/em>\n<em># spoofing attacks.<\/em>\nnet.ipv4.conf.all.rp_filter = 1\nnet.ipv4.conf.default.rp_filter = 1 \n\n<em># RFC 1337, TIME-WAIT Assassination Hazards in TCP, a fix written in 1992<\/em>\n<em># for some theoretically-possible failure modes for TCP connections. To this<\/em>\n<em># day this RFC still has people confused if it negatively impacts performance<\/em>\n<em># or not or is supported by any decent router. Murphy's Law is that the only<\/em>\n<em># router that it would even have trouble with, is most likely your own.<\/em>\nnet.ipv4.tcp_rfc1337 = 1\n\n<em>###############################################<\/em>\n<em>########## IPv6 networking start ##############<\/em>\n<em>###############################################<\/em>\n\n<em># Uncomment the next line to enable packet forwarding for IPv6.  Enabling this<\/em>\n<em># option disables Stateless Address Autoconfiguration based on Router<\/em>\n<em># Advertisements for this host.<\/em>\n<em>#net.ipv6.conf.all.forwarding = 0<\/em>\n\n<em># Number of Router Solicitations to send until assuming no routers are present.<\/em>\n<em># This is host and not router<\/em>\nnet.ipv6.conf.default.router_solicitations = 0\n\n<em># Accept packets with SRR option? No<\/em>\nnet.ipv6.conf.all.accept_source_route = 0\n\n<em># Accept Router Preference in RA?<\/em>\nnet.ipv6.conf.default.accept_ra_rtr_pref = 0\n\n<em># Learn Prefix Information in Router Advertisement<\/em>\nnet.ipv6.conf.default.accept_ra_pinfo = 0\n\n<em># Setting controls whether the system will accept Hop Limit settings from a router advertisement<\/em>\nnet.ipv6.conf.default.accept_ra_defrtr = 0\n\n<em>#router advertisements can cause the system to assign a global unicast address to an interface<\/em>\nnet.ipv6.conf.default.autoconf = 0\n\n<em>#how many neighbor solicitations to send out per address?<\/em>\nnet.ipv6.conf.default.dad_transmits = 0\n\n<em># How many global unicast IPv6 addresses can be assigned to each interface?<\/em>\nnet.ipv6.conf.default.max_addresses = 1\n\n<em># Do not accept ICMP redirects (prevent MITM attacks)<\/em>\nnet.ipv6.conf.default.accept_redirects = 0\nnet.ipv6.conf.all.accept_redirects = 0\nnet.ipv6.conf.all.secure_redirects = 1\n\n<em>############################################<\/em>\n<em>##### TCP Tuning ###########################<\/em>\n<em>############################################<\/em>\n\n<em># Increase Linux autotuning TCP buffer limits<\/em>\n<em># Set max to 16MB for 1GE and 32M (33554432) or 54M (56623104) for 10GE<\/em>\n<em># Don't set tcp_mem itself! Let the kernel scale it based on RAM.<\/em>\nnet.core.rmem_max = 16777216\nnet.core.wmem_max = 16777216\nnet.core.rmem_default = 16777216\nnet.core.wmem_default = 16777216\nnet.core.optmem_max = 40960\nnet.ipv4.tcp_rmem = 4096 87380 16777216\nnet.ipv4.tcp_wmem = 4096 65536 16777216\n\n<em># Make room for more TIME_WAIT sockets due to more clients,<\/em>\n<em># and allow them to be reused if we run out of sockets<\/em>\n<em># Also increase the max packet backlog<\/em>\nnet.ipv4.tcp_max_syn_backlog = 30000\nnet.ipv4.tcp_max_tw_buckets = 2000000\nnet.ipv4.tcp_tw_reuse = 1\nnet.ipv4.tcp_fin_timeout = 10\nnet.core.netdev_max_backlog = 60000\nnet.core.netdev_budget = 60000\nnet.core.netdev_budget_usecs = 6000\n\n<em># If your servers talk UDP, also up these limits<\/em>\nnet.ipv4.udp_rmem_min = 8192\nnet.ipv4.udp_wmem_min = 8192\n\n<em># Change Congestion Control Algorithm to BBR<\/em>\nnet.core.default_qdisc=fq\nnet.ipv4.tcp_congestion_control=bbr\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.kmlsmv1.com\/index.php?rest_route=\/wp\/v2\/posts\/54"}],"collection":[{"href":"https:\/\/www.kmlsmv1.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kmlsmv1.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kmlsmv1.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kmlsmv1.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=54"}],"version-history":[{"count":1,"href":"https:\/\/www.kmlsmv1.com\/index.php?rest_route=\/wp\/v2\/posts\/54\/revisions"}],"predecessor-version":[{"id":55,"href":"https:\/\/www.kmlsmv1.com\/index.php?rest_route=\/wp\/v2\/posts\/54\/revisions\/55"}],"wp:attachment":[{"href":"https:\/\/www.kmlsmv1.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=54"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kmlsmv1.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=54"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kmlsmv1.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=54"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}