3 |
2 |
3 |
Optimized kernel configuration intended for high performance and useful to prevent DDoS attacks.
5 | 6 | 7 | ### ⚙️ How its works? 8 | The `/etc/sysctl` file allows modifying kernel parameters and making them persistent. We can use these parameters to protect our server against DDoS attacks or even get more performance from it. 9 | 10 | ### 📦 Installation 11 | 1. Clone the repository. 12 | 2. Use in terminal `chmod 750 ./install.sh` 13 | 3. Run the install.sh script using `sh ./install.sh` 14 | 15 | ### ❤️ Contribute 16 | If you want to contribute changes to the project, you are welcome to do so. Simply create a PR by submitting your changes and after reviewing and testing it, it will be accepted. 17 | 18 | ### 💰 Donate 19 | You are free to send a donation through [PayPal](https://paypal.me/sammwy) if you found this useful. 20 | -------------------------------------------------------------------------------- /install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Check if is root 4 | echo "Kernel Tweeks by Nfense." 5 | if [ "$EUID" -ne 0 ] 6 | then echo "Please run this as root" 7 | exit 8 | fi 9 | 10 | # Copy kernel settings to /etc 11 | cp ./sysctl.conf /etc 12 | 13 | # Reload kernel from file 14 | sysctl -p 15 | echo "Settings updated." 16 | -------------------------------------------------------------------------------- /logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nfense/kernel-tweaks/1ec00b3bc20a15ef30da27da6a36d057e20e908e/logo.png -------------------------------------------------------------------------------- /sysctl.conf: -------------------------------------------------------------------------------- 1 | # /etc/sysctl.conf 2 | # Console logging level 3 | kernel.printk = 4 4 1 7 4 | # The value in this file represents the number of seconds the kernel waits before rebooting on a panic 5 | kernel.panic = 10 6 | # Disable magic keys 7 | kernel.sysrq = 0 8 | # This value can be used to query and set the run time limit on the maximum shared memory segment size that can be created. 9 | kernel.shmmax = 4294967296 10 | # This parameter sets the total amount of shared memory pages that can be used system wide. 11 | kernel.shmall = 4194304 12 | # The default coredump filename is "core". By setting core_uses_pid to 1, the coredump filename becomes core.PID. 13 | kernel.core_uses_pid = 1 14 | # Defines the maximum size in bytes of a single message queue. 15 | kernel.msgmnb = 65536 16 | # Defines the maximum allowable size in bytes of any single message in a message queue. This value must not exceed the size of the queue (msgmnb). 17 | kernel.msgmax = 65536 18 | # This control is used to define how aggressive the kernel will swap memory pages. 19 | vm.swappiness = 20 20 | # Contains, as a percentage of total available memory that contains free pages 21 | # and reclaimable pages, the number of pages at which a process which is 22 | # generating disk writes will itself start writing out dirty data. 23 | vm.dirty_ratio = 80 24 | # Contains, as a percentage of total available memory that contains free pages 25 | # and reclaimable pages, the number of pages at which the background kernel 26 | # flusher threads will start writing out dirty data. 27 | vm.dirty_background_ratio = 5 28 | # This value denotes the maximum number of file- 29 | # handles that the Linux kernel will allocate. 30 | fs.file-max = 2097152 31 | # Maximum number of packets, queued on the INPUT side, when the interface 32 | # receives packets faster than kernel can process them. 33 | net.core.netdev_max_backlog = 262144 34 | # The default setting of the socket receive buffer in bytes 35 | net.core.rmem_default = 31457280 36 | # The maximum receive socket buffer size in bytes. 37 | net.core.rmem_max = 67108864 38 | # The default setting (in bytes) of the socket send buffer. 39 | net.core.wmem_default = 31457280 40 | # The maximum send socket buffer size in bytes. 41 | net.core.wmem_max = 67108864 42 | # Limit of socket listen() backlog 43 | net.core.somaxconn = 65535 44 | # Maximum ancillary buffer size allowed per socket. Ancillary data is a sequence 45 | # of struct cmsghdr structures with appended data. 46 | net.core.optmem_max = 25165824 47 | # Minimum number of stored ARP records is indicated which is not cleared. 48 | net.ipv4.neigh.default.gc_thresh1 = 4096 49 | # The amount after which the records begin to be cleaned after 5 seconds 50 | net.ipv4.neigh.default.gc_thresh2 = 8192 51 | # The amount upon reaching which the records begin to be cleared immediately 52 | net.ipv4.neigh.default.gc_thresh3 = 16384 53 | # How frequently the garbage collector for neighbour entries should attempt to run. 54 | net.ipv4.neigh.default.gc_interval = 5 55 | # Determines how often to check for stale neighbour entries. When a neighbour entry is considered stale it is resolved again before sending data to it. 56 | net.ipv4.neigh.default.gc_stale_time = 120 57 | # Size of connection tracking table. 58 | net.netfilter.nf_conntrack_max = 10000000 59 | # If it is set to zero, we disable picking up already established connections. 60 | net.netfilter.nf_conntrack_tcp_loose = 0 61 | # Timeout for established (in seconds) 62 | net.netfilter.nf_conntrack_tcp_timeout_established = 1800 63 | # Timeout for close (in seconds) 64 | net.netfilter.nf_conntrack_tcp_timeout_close = 10 65 | # Timeout for close wait (in seconds) 66 | net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10 67 | # Timeout for fin wait (in seconds) 68 | net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 20 69 | # Timeout for last ack (in seconds) 70 | net.netfilter.nf_conntrack_tcp_timeout_last_ack = 20 71 | # Timeout for syn recv (in seconds) 72 | net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 20 73 | # Timeout for syn sent (in seconds) 74 | net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 20 75 | # Timeout for time wait (in seconds) 76 | net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10 77 | # The congestion window size in MSS of a TCP connection after it has been idled (no segment received) for a period of one retransmission timeout (RTO). 78 | net.ipv4.tcp_slow_start_after_idle = 0 79 | # That defines the minimum and maximum port a networking connection can use as its source (local) port. 80 | net.ipv4.ip_local_port_range = 1024 65000 81 | # The maximum number of IPv4 routes allowed 82 | net.ipv4.route.max_size = 8048576 83 | # Ignore all incoming ICMP echo requests 84 | net.ipv4.icmp_echo_ignore_all = 0 85 | # Ignore ICMP echo requests to broadcast 86 | net.ipv4.icmp_echo_ignore_broadcasts = 1 87 | # Don't log invalid responses to broadcast 88 | net.ipv4.icmp_ignore_bogus_error_responses = 1 89 | # Set the congestion control algorithm to be used for new connections. 90 | # Possible values: reno (default), cubic, bic, htcp, vegas, westwood. 91 | net.ipv4.tcp_congestion_control = htcp 92 | # First param: below this number of pages TCP is not bothered about its memory appetite. 93 | # Second param: when amount of memory allocated by TCP exceeds this number of pages, TCP moderates its memory consumption and enters memory 94 | # pressure mode, which is exited when memory consumption falls under "min". 95 | # Third param: Number of pages allowed for queueing by all TCP sockets. 96 | net.ipv4.tcp_mem = 65536 131072 262144 97 | # The same as above but for the UDP protocol. 98 | net.ipv4.udp_mem = 65536 131072 262144 99 | # First param: Minimal size of receive buffer used by TCP sockets. It is guaranteed to each TCP socket, even under moderate memory pressure. 100 | # Second param: Initial size of receive buffer used by TCP sockets. This value overrides net.core.rmem_default used by other protocols. 101 | # Third param: maximal size of receive buffer allowed for automatically selected receiver buffers for TCP socket. 102 | # This value does not override net.core.rmem_max. Calling setsockopt() with SO_RCVBUF disables 103 | # automatic tuning of that socket's receive buffer size, in which case this value is ignored. 104 | net.ipv4.tcp_rmem = 4096 87380 33554432 105 | # First param: Amount of memory reserved for send buffers for TCP sockets. Each TCP socket has rights to use it due to fact of its birth. 106 | # Second param: initial size of send buffer used by TCP sockets. 107 | # Third param: Maximal amount of memory allowed for automatically tuned send buffers for TCP sockets. 108 | net.ipv4.tcp_wmem = 4096 87380 33554432 109 | # Minimal size of receive buffer used by UDP sockets in moderation. 110 | net.ipv4.udp_rmem_min = 16384 111 | # Minimal size of send buffer used by UDP sockets in moderation. 112 | net.ipv4.udp_wmem_min = 16384 113 | # Maximal number of timewait sockets held by system simultaneously. If this number is exceeded time-wait socket is immediately destroyed 114 | net.ipv4.tcp_max_tw_buckets = 1440000 115 | # Enable or disable fast recycling of TIME_WAIT sockets. Known to cause some issues with hoststated (Load balancing and fail over) 116 | net.ipv4.tcp_tw_recycle = 0 117 | # This allows reusing sockets in TIME_WAIT state for new connections when it is safe from protocol viewpoint 118 | net.ipv4.tcp_tw_reuse = 1 119 | # Maximal number of TCP sockets not attached to any user file handle, held by system. 120 | # If this number is exceeded orphaned connections are reset immediately and warning is printed. 121 | net.ipv4.tcp_max_orphans = 400000 122 | # Enable or disable window scaling as defined in RFC1323. 123 | net.ipv4.tcp_window_scaling = 1 124 | # If set, the TCP stack behaves conforming to RFC1337. 125 | # If unset, we are not conforming to RFC, but prevent TCP TIME_WAIT assassination. 126 | net.ipv4.tcp_rfc1337 = 1 127 | # Send out syncookies when the syn backlog queue of a socket overflows. This is to prevent against the common 'SYN flood attack' 128 | net.ipv4.tcp_syncookies = 1 129 | # Number of times SYNACKs for a passive TCP connection attempt will be retransmitted. 130 | net.ipv4.tcp_synack_retries = 1 131 | # Number of times initial SYNs for an active TCP connection attempt will be retransmitted. 132 | net.ipv4.tcp_syn_retries = 2 133 | # Maximal number of remembered connection requests (SYN_RECV), which have not received an acknowledgment from connecting client. 134 | net.ipv4.tcp_max_syn_backlog = 16384 135 | # Enable or disable timestamps as defined in RFC1323 and use random offset for each connection rather than only using the current time. 136 | net.ipv4.tcp_timestamps = 1 137 | # Enable or disable select acknowledgments (SACKS) 138 | net.ipv4.tcp_sack = 1 139 | # Control use of Explicit Congestion Notification (ECN) by TCP. ECN is used only when both ends of the TCP connection indicate support for it. 140 | # 0 Disable ECN 141 | # 1 Enable ECN when requested by incoming connections and also request ECN on outgoing connection attempts. 142 | # 2 Enable ECN when requested by incoming connections but do not request ECN on outgoing connections. 143 | net.ipv4.tcp_ecn = 2 144 | # The length of time an orphaned (no longer referenced by any application) connection will remain in the FIN_WAIT_2 state before it is aborted at the local end. 145 | net.ipv4.tcp_fin_timeout = 10 146 | # How often TCP sends out keepalive messages when keepalive is enabled. 147 | net.ipv4.tcp_keepalive_time = 600 148 | # How frequently the probes are send out. Multiplied by tcp_keepalive_probes it is time to kill not responding connection, after probes started. 149 | net.ipv4.tcp_keepalive_intvl = 60 150 | # How many keepalive probes TCP sends out, until it decides that the connection is broken. 151 | net.ipv4.tcp_keepalive_probes = 10 152 | # By default, TCP saves various connection metrics in the route cache when the connection closes, so that connections established in the 153 | # near future can use these to set initial conditions. Usually, this increases overall performance, but may sometimes cause performance degradation. 154 | # If set, TCP will not cache metrics on closing connections. 155 | net.ipv4.tcp_no_metrics_save = 1 156 | # Forward Packets between interfaces. 157 | net.ipv4.ip_forward = 0 158 | # Accept ICMP redirect messages. (0 = Disabled) 159 | net.ipv4.conf.all.accept_redirects = 0 160 | # Send redirects, if router. (0 = Disabled) 161 | net.ipv4.conf.all.send_redirects = 0 162 | # Accept packets with SRR option. (0 = Disabled) 163 | net.ipv4.conf.all.accept_source_route = 0 164 | # 0 - No source validation. 165 | # 1 - Strict mode as defined in RFC3704 Strict Reverse Path 166 | # Each incoming packet is tested against the FIB and if the interface 167 | # is not the best reverse path the packet check will fail. 168 | # By default failed packets are discarded. 169 | # 2 - Loose mode as defined in RFC3704 Loose Reverse Path 170 | # Each incoming packet's source address is also tested against the FIB 171 | # and if the source address is not reachable via any interface 172 | # the packet check will fail. 173 | net.ipv4.conf.all.rp_filter = 1 174 | # Do multicast routing (0 = Disabled) 175 | net.ipv4.conf.all.mc_forwarding = 0 176 | # Log packets with impossible addresses to kernel log. 177 | net.ipv4.conf.all.log_martians = 1 178 | # This option can be used to select the type of process address space randomization that is used in the system, for architectures that support this feature. 179 | kernel.randomize_va_space = 1 180 | # Exec Shield is a project that got started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. 181 | kernel.exec-shield = 1 182 | # Disable proxy arp 183 | net.ipv4.conf.all.proxy_arp = 0 184 | # Enable secure redirects, i.e. only accept ICMP redirects for gateways 185 | net.ipv4.conf.all.secure_redirects = 1 186 | # Disable bootp_relay 187 | net.ipv4.conf.all.bootp_relay = 0 188 | # Ensure that subsequent connections use the new values 189 | net.ipv4.route.flush = 1 --------------------------------------------------------------------------------