├── TODO ├── auditd.cron ├── modprobe.conf ├── sshd.conf ├── audit.rules ├── debian-security.txt ├── rc.iptables └── sysctl.conf └── README.md /TODO/auditd.cron: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | ########## 4 | # This script can be installed to get a daily log rotation 5 | # based on a cron job. 6 | ########## 7 | 8 | /sbin/service auditd rotate 9 | EXITVALUE=$? 10 | if [ $EXITVALUE != 0 ]; then 11 | /usr/bin/logger -t auditd "ALERT exited abnormally with [$EXITVALUE]" 12 | fi 13 | exit 0 14 | 15 | -------------------------------------------------------------------------------- /TODO/modprobe.conf: -------------------------------------------------------------------------------- 1 | #Applications 2 | install cramfs /bin/true 3 | install freevxfs /bin/true 4 | install jffs2 /bin/true 5 | install hfs /bin/true 6 | install hfsplus /bin/true 7 | install squashfs /bin/true 8 | install udf /bin/true 9 | # Protocols 10 | install dccp /bin/true 11 | install sctp /bin/true 12 | install rds /bin/true 13 | install tipc /bin/true 14 | -------------------------------------------------------------------------------- /TODO/sshd.conf: -------------------------------------------------------------------------------- 1 | Protocol 2 2 | LogLevel INFO 3 | X11Forwarding no 4 | MaxAuthTries 4 5 | IgnoreRhosts yes 6 | HostbasedAuthentication no 7 | PermitRootLogin no 8 | PermitEmptyPasswords no 9 | PermitUserEnvironment no 10 | Ciphers aes128-ctr,aes192-ctr,aes256-ctr 11 | ClientAliveInterval 600 12 | ClientAliveCountMax 0 13 | Banner /etc/issue.net 14 | AllowGroups root,wheel 15 | -------------------------------------------------------------------------------- /TODO/audit.rules: -------------------------------------------------------------------------------- 1 | # This file contains the auditctl rules that are loaded 2 | # whenever the audit daemon is started via the initscripts. 3 | # The rules are simply the parameters that would be passed 4 | # to auditctl. 5 | 6 | # First rule - delete all 7 | -D 8 | 9 | # Increase the buffers to survive stress events. 10 | # Make this bigger for busy systems 11 | -b 1024 12 | 13 | -a entry,always -F arch=b32 -S adjtimex -S settimeofday -S clock_settime -k time-change 14 | -a entry,always -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k time-change 15 | -w /etc/localtime -p wa -k time-change 16 | 17 | -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale 18 | -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale 19 | -w /etc/hosts -p wa -k system-locale 20 | -w /etc/issue -p wa -k system-locale 21 | -w /etc/issue.net -p wa -k system-locale 22 | -w /etc/network/interfaces -p wa -k system-locale 23 | 24 | -a always,exit -F arch=b32 -S init_module -S delete_module -k modules 25 | -a always,exit -F arch=b64 -S init_module -S delete_module -k modules 26 | -w /sbin/rmmod -p x -k modules 27 | -w /sbin/insmod -p x -k modules 28 | -w /sbin/modprobe -p x -k modules 29 | 30 | -w /etc/sudoers -p wa -k identity 31 | 32 | -w /var/run/utmp -p wa -k session 33 | -w /var/log/wtmp -p wa -k session 34 | -w /var/log/btmp -p wa -k session 35 | 36 | -w /etc/audit/ -p wa -k CFG_audit 37 | -w /etc/default/auditd -p wa -k CFG_audit 38 | -w /etc/libaudit.conf -p wa -k CFG_libaudit.conf 39 | -w /etc/audisp/ -p wa -k CFG_audisp 40 | 41 | ## set-up of trusted channel 42 | -w /usr/sbin/stunnel -p x 43 | 44 | ## cron configuration & scheduled jobs 45 | -w /etc/cron.allow -p wa -k CFG_cron.allow 46 | -w /etc/cron.deny -p wa -k CFG_cron.deny 47 | -w /etc/cron.d/ -p wa -k CFG_cron.d 48 | -w /etc/cron.daily/ -p wa -k CFG_cron.daily 49 | -w /etc/cron.hourly/ -p wa -k CFG_cron.hourly 50 | -w /etc/cron.monthly/ -p wa -k CFG_cron.monthly 51 | -w /etc/cron.weekly/ -p wa -k CFG_cron.weekly 52 | -w /etc/crontab -p wa -k CFG_crontab 53 | -w /var/spool/cron/crontabs/root -k CFG_crontab_root 54 | 55 | ## user, group, password databases 56 | -w /etc/group -p wa -k CFG_group 57 | -w /etc/passwd -p wa -k CFG_passwd 58 | -w /etc/gshadow -k CFG_gshadow 59 | -w /etc/shadow -k CFG_shadow 60 | -w /etc/security/opasswd -k CFG_opasswd 61 | 62 | ## login configuration and information 63 | -w /etc/login.defs -p wa -k CFG_login.defs 64 | -w /etc/securetty -p wa -k CFG_securetty 65 | -w /var/log/faillog -p wa -k LOG_faillog 66 | -w /var/log/lastlog -p wa -k LOG_lastlog 67 | -w /var/log/tallylog -p wa -k LOG_tallylog 68 | 69 | ## system startup scripts 70 | -w /etc/inittab -p wa -k CFG_inittab 71 | -w /etc/init.d/ -p wa -k CFG_initscripts 72 | 73 | ## library search paths 74 | -w /etc/ld.so.conf -p wa -k CFG_ld.so.conf 75 | 76 | ## kernel parameters 77 | -w /etc/sysctl.conf -p wa -k CFG_sysctl.conf 78 | 79 | ## modprobe configuration 80 | -w /etc/modprobe.conf -p wa -k CFG_modprobe.conf 81 | 82 | ## pam configuration 83 | -w /etc/pam.d/ -p wa -k CFG_pam 84 | -w /etc/security/limits.conf -p wa -k CFG_pam 85 | -w /etc/security/pam_env.conf -p wa -k CFG_pam 86 | -w /etc/security/namespace.conf -p wa -k CFG_pam 87 | -w /etc/security/namespace.init -p wa -k CFG_pam 88 | 89 | ## ssh configuration 90 | -w /etc/ssh/sshd_config -k CFG_sshd_config 91 | 92 | 93 | -e 2 94 | -------------------------------------------------------------------------------- /TODO/debian-security.txt: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------- 2 | # Some common sense basics to secure Debian Linux servers 3 | 4 | 5 | # installing extra security packages 6 | 7 | apt-get install denyhosts tiger rkhunter chkrootkit snort oinkmaster checksecurity logcheck logwatch fcheck logcheck-database syslog-summary tripwire auditd acct ninja sysstat 8 | 9 | # after downloading and installing, build the tripwire database: 10 | 11 | tripwire --init 12 | 13 | # most of the tools send e-mail to root@localhost, make sure to redirect this to a working e-mail address: 14 | 15 | echo "root: my.email@address.com" >> /etc/aliases 16 | newaliases 17 | 18 | # Download the 'sysctl.conf' provided here, place it in /etc and run: 19 | 20 | wget -O /etc/sysctl.conf http://klaver.it/linux/sysctl.conf 21 | sysctl -e -p /etc/sysctl.conf 22 | 23 | # Download the 'rc.iptables' save it to /etc/init.d and edit it to only open the desired ports for your server you really need, after that do: 24 | 25 | wget -O /etc/init.d/rc.iptables http://klaver.it/linux/rc.iptables 26 | chmod 755 /etc/init.d/rc.iptables 27 | update-rc.d rc.iptables defaults 28 | /etc/init.d/rc.iptables start & 29 | 30 | # Get automatic security updates 31 | 32 | apt-get install cron-apt unattended-upgrades 33 | 34 | # Do some virusscanning to make sure there are no unwanted files on your server system: 35 | 36 | apt-get install clamav clamav-daemon clamav-freshclam 37 | freshclam 38 | clamscan --infected --recursive --no-summary / 39 | 40 | # You could also do this on a daily basis and add it as cronjob: 41 | 42 | echo "13 5 * * * clamscan --infected --recursive --no-summary /" >> /var/spool/cron/crontabs/root 43 | 44 | # remove or take away permissions of all system tools that can be used to download files at the command-line (like lynx and wget) 45 | 46 | chmod 700 /usr/bin/wget /usr/bin/curl /usr/bin/GET /usr/bin/ftp /usr/bin/telnet 47 | dpkg -P lynx links 48 | 49 | # Search for other installations of these tools and remove or disable them for normal users 50 | 51 | whereis wget curl GET links lynx ftp telnet 52 | 53 | # Monitor your user cron-jobs and look for suspicious commands 54 | 55 | cat /var/spool/cron/crontabs/* 56 | 57 | # In case you do not want your users to use cron-jobs, you can disable them all (exept for the root user) using the following commands 58 | 59 | echo root > /etc/cron.allow 60 | /etc/init.d/cron restart 61 | 62 | # Let the server fix it's filesystem automatically when errors are found 63 | 64 | echo "FSCKFIX=yes" >> /etc/defaults/rcS 65 | 66 | 67 | 68 | # -------------------------------------------------- 69 | # Adding webserver software specific security tweaks: 70 | 71 | # use apache mod_security (www.modsecurity.org) 72 | 73 | # use the suexec tool to limit permissions of CGI scripts 74 | 75 | # use SuPHP to limit permissions of PHP scripts 76 | 77 | # For PHP edit php.ini and set the following options: 78 | 79 | allow_url_fopen = Off 80 | allow_url_include = Off 81 | register_globals = Off 82 | 83 | # PHP safe_mode will add some extra limitations, see http://www.php.net/manual/en/features.safe-mode.functions.php 84 | # use PHP option safe_mode = On , or disable a list of common abused php functions that are rarely used by legitimate php software packages: 85 | 86 | disable_functions = dl,system,exec,passthru,shell_exec,proc_open,proc_get_status,proc_terminate,proc_close,dir,readfile,virtual,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source 87 | 88 | # install the php hardening patch available at www.hardened-php.net and you might also try the suhosin patch available at the same website. 89 | 90 | # set php option open_basedir for every website limiting them to their own user home-dir to prevent php scripts get access to other users and websites at the system. 91 | 92 | 93 | 94 | # Your server is now a bit more secure, but you still have to keep an eye at your users and make sure they do not upload and use insecure/buggy/old software packages 95 | 96 | -------------------------------------------------------------------------------- /TODO/rc.iptables: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #### BEGIN INIT INFO 3 | # Provides: iptables 4 | # Required-Start: $network 5 | # Required-Stop: 6 | # Default-Start: 2 3 4 5 7 | # Default-Stop: S 0 1 6 8 | # Short-Description: iptables firewall script 9 | # Description: iptables firewall script 10 | ### END INIT INFO 11 | 12 | ### 13 | ### FireWall script - v1.1 Michiel Klaver 2008-10-29 14 | ### 15 | 16 | 17 | 18 | set -e 19 | 20 | . /lib/init/vars.sh 21 | . /lib/lsb/init-functions 22 | 23 | # iptables Location - adjust if needed 24 | IPT="/sbin/iptables" 25 | 26 | # Internet Interface 27 | INET_IFACE="eth0" 28 | 29 | # Localhost Interface 30 | LO_IFACE="lo" 31 | LO_IP="127.0.0.1" 32 | 33 | 34 | 35 | # we do not use forwarding / NAT 36 | echo 0 > /proc/sys/net/ipv4/ip_forward 37 | 38 | # remove any existing ipchains 39 | ([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true 40 | (rmmod ipchains) >/dev/null 2>&1 || true 41 | 42 | # insert iptable modules 43 | /sbin/modprobe ip_tables 44 | /sbin/modprobe ipt_state 45 | /sbin/modprobe iptable_filter 46 | /sbin/modprobe ip_conntrack 47 | /sbin/modprobe ip_conntrack_ftp 48 | 49 | 50 | 51 | # clear all previous iptable rules 52 | $IPT -F 53 | $IPT -X 54 | $IPT -Z 55 | 56 | # do not use forwarding / NAT 57 | $IPT -t nat -F 58 | $IPT -t nat -X 59 | $IPT -t nat -Z 60 | 61 | # do not alter packets 62 | $IPT -t mangle -F 63 | $IPT -t mangle -X 64 | $IPT -t mangle -Z 65 | 66 | 67 | 68 | case "$1" in 69 | stop|open|clear|reset) 70 | # set default policy for all traffic to ACCEPT 71 | $IPT -P INPUT ACCEPT 72 | $IPT -P OUTPUT ACCEPT 73 | $IPT -P FORWARD ACCEPT 74 | 75 | $IPT -A INPUT -j ACCEPT 76 | $IPT -A OUTPUT -j ACCEPT 77 | $IPT -A FORWARD -j ACCEPT 78 | exit 0 79 | ;; 80 | esac 81 | 82 | 83 | 84 | # set default policy for all traffic to DROP 85 | $IPT -P INPUT DROP 86 | $IPT -P OUTPUT DROP 87 | $IPT -P FORWARD DROP 88 | 89 | # Every new connection attempt should begin with a syn packet. If it doesn't, it is likely a 90 | # port scan. This drops packets in state NEW that are not flagged as syn packets. 91 | $IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT 92 | $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP 93 | $IPT -A INPUT -p all -m state --state INVALID -j DROP 94 | 95 | $IPT -A OUTPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT 96 | $IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP 97 | $IPT -A OUTPUT -p all -m state --state INVALID -j DROP 98 | 99 | 100 | 101 | # ICMP packets should fit in a Layer 2 frame, thus they should 102 | # never be fragmented. Fragmented ICMP packets are a typical sign 103 | # of a denial of service attack. 104 | $IPT -A INPUT --fragment -p ICMP -j DROP 105 | 106 | # Block stealth portscans 107 | $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP 108 | $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j DROP 109 | $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP 110 | $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP 111 | $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 112 | $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP 113 | 114 | # all connections from / to localhost are allowed 115 | $IPT -A INPUT -p all -i $LO_IFACE -j ACCEPT 116 | $IPT -A OUTPUT -p all -o $LO_IFACE -j ACCEPT 117 | $IPT -A OUTPUT -p all -s $LO_IP -j ACCEPT 118 | 119 | 120 | 121 | # HTTP / HTTPS 122 | $IPT -A INPUT -p tcp --dport 80 -j ACCEPT 123 | $IPT -A INPUT -p tcp --dport 443 -j ACCEPT 124 | 125 | # FTP 126 | $IPT -A INPUT -p tcp --dport 20 -j ACCEPT 127 | $IPT -A INPUT -p tcp --dport 21 -j ACCEPT 128 | 129 | # SSH 130 | $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set 131 | $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j REJECT --reject-with tcp-reset 132 | $IPT -A INPUT -p tcp --dport 22 -j ACCEPT 133 | 134 | # SMTP / SSMTP 135 | $IPT -A INPUT -p tcp --dport 25 -j ACCEPT 136 | $IPT -A INPUT -p tcp --dport 465 -j ACCEPT 137 | $IPT -A INPUT -p tcp --dport 587 -j ACCEPT 138 | 139 | # POP3PASS 140 | $IPT -A INPUT -p tcp --dport 106 -j ACCEPT 141 | 142 | # POP3 / POP3S 143 | $IPT -A INPUT -p tcp --dport 110 -j ACCEPT 144 | $IPT -A INPUT -p tcp --dport 995 -j ACCEPT 145 | 146 | # IMAP / IMAPS 147 | $IPT -A INPUT -p tcp --dport 143 -j ACCEPT 148 | $IPT -A INPUT -p tcp --dport 993 -j ACCEPT 149 | 150 | # MySQL 151 | $IPT -A INPUT -p tcp --dport 3306 -j ACCEPT 152 | 153 | # PostgreSQL 154 | $IPT -A INPUT -p tcp --dport 5432 -j ACCEPT 155 | 156 | # DNS 157 | $IPT -A INPUT -p udp --dport 53 -j ACCEPT 158 | $IPT -A INPUT -p tcp --dport 53 -j ACCEPT 159 | 160 | # Admin Panels (Plesk / DirectAdmin) 161 | $IPT -A INPUT -p tcp --dport 8443 -j ACCEPT 162 | $IPT -A INPUT -p tcp --dport 2222 -j ACCEPT 163 | 164 | # ICMP 165 | $IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT 166 | $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT 167 | $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT 168 | $IPT -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT 169 | $IPT -A INPUT -p icmp --icmp-type source-quench -j ACCEPT 170 | $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT 171 | $IPT -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT 172 | 173 | 174 | 175 | # UDP part of tracerouting 176 | $IPT -A INPUT -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT 177 | $IPT -A OUTPUT -p udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT 178 | 179 | # SSH 180 | $IPT -A OUTPUT -p tcp --dport 22 -j ACCEPT 181 | 182 | # SMTP 183 | $IPT -A OUTPUT -p tcp --dport 25 -j ACCEPT 184 | $IPT -A OUTPUT -p tcp --dport 465 -j ACCEPT 185 | $IPT -A OUTPUT -p tcp --dport 587 -j ACCEPT 186 | 187 | # POP3/IMAP 188 | $IPT -A OUTPUT -p tcp --dport 110 -j ACCEPT 189 | $IPT -A OUTPUT -p tcp --dport 143 -j ACCEPT 190 | 191 | # HTTP/HTTPS 192 | $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT 193 | $IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT 194 | 195 | # DNS 196 | $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT 197 | $IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT 198 | 199 | # SNMP 200 | $IPT -A OUTPUT -p udp --dport 161 -j ACCEPT 201 | $IPT -A OUTPUT -p tcp --dport 161 -j ACCEPT 202 | $IPT -A OUTPUT -p udp --dport 162 -j ACCEPT 203 | $IPT -A OUTPUT -p tcp --dport 162 -j ACCEPT 204 | 205 | # NTP (date/time) 206 | $IPT -A OUTPUT -p tcp --dport 37 -j ACCEPT 207 | $IPT -A OUTPUT -p tcp --dport 123 -j ACCEPT 208 | $IPT -A OUTPUT -p udp --dport 123 -j ACCEPT 209 | 210 | # WhoIs clientside 211 | $IPT -A OUTPUT -p tcp --dport 43 -j ACCEPT 212 | 213 | # Razor2/Pyzor/DCC (spamchecks) 214 | $IPT -A OUTPUT -p udp --dport 24441 -j ACCEPT 215 | $IPT -A OUTPUT -p udp --dport 6277 -j ACCEPT 216 | $IPT -A OUTPUT -p tcp --dport 2703 -j ACCEPT 217 | $IPT -A OUTPUT -p tcp --dport 7 -j ACCEPT 218 | 219 | # MySQL 220 | $IPT -A OUTPUT -p tcp --dport 3306 -j ACCEPT 221 | 222 | # PostgreSQL 223 | $IPT -A OUTPUT -p tcp --dport 5432 -j ACCEPT 224 | 225 | # ICMP 226 | $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT 227 | $IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT 228 | $IPT -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT 229 | $IPT -A OUTPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT 230 | $IPT -A OUTPUT -p icmp --icmp-type source-quench -j ACCEPT 231 | $IPT -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT 232 | $IPT -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT 233 | 234 | 235 | 236 | # DROP any other protocol other than stated above 237 | $IPT -A INPUT -j DROP 238 | $IPT -A OUTPUT -j DROP 239 | $IPT -A FORWARD -j DROP 240 | 241 | 242 | 243 | $IPT -L -n 244 | -------------------------------------------------------------------------------- /TODO/sysctl.conf: -------------------------------------------------------------------------------- 1 | # Kernel sysctl configuration file for Linux 2 | # 3 | # Version 1.12 - 2015-09-30 4 | # Michiel Klaver - IT Professional 5 | # http://klaver.it/linux/ for the latest version - http://klaver.it/bsd/ for a BSD variant 6 | # 7 | # This file should be saved as /etc/sysctl.conf and can be activated using the command: 8 | # sysctl -e -p /etc/sysctl.conf 9 | # 10 | # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and sysctl.conf(5) for more details. 11 | # 12 | # Tested with: Ubuntu 14.04 LTS kernel version 3.13 13 | # Debian 7 kernel version 3.2 14 | # CentOS 7 kernel version 3.10 15 | 16 | # 17 | # Intended use for dedicated server systems at high-speed networks with loads of RAM and bandwidth available 18 | # Optimised and tuned for high-performance web/ftp/mail/dns servers with high connection-rates 19 | # DO NOT USE at busy networks or xDSL/Cable connections where packetloss can be expected 20 | # ---------- 21 | 22 | # Credits: 23 | # http://www.enigma.id.au/linux_tuning.txt 24 | # http://www.securityfocus.com/infocus/1729 25 | # http://fasterdata.es.net/TCP-tuning/linux.html 26 | # http://fedorahosted.org/ktune/browser/sysctl.ktune 27 | # http://www.cymru.com/Documents/ip-stack-tuning.html 28 | # http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt 29 | # http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html 30 | # http://knol.google.com/k/linux-performance-tuning-and-measurement 31 | # http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/ 32 | # http://www.redbooks.ibm.com/abstracts/REDP4285.html 33 | # http://www.speedguide.net/read_articles.php?id=121 34 | # http://lartc.org/howto/lartc.kernel.obscure.html 35 | # http://en.wikipedia.org/wiki/Sysctl 36 | 37 | 38 | 39 | ### 40 | ### GENERAL SYSTEM SECURITY OPTIONS ### 41 | ### 42 | 43 | # Controls the System Request debugging functionality of the kernel 44 | kernel.sysrq = 0 45 | 46 | # Controls whether core dumps will append the PID to the core filename. 47 | # Useful for debugging multi-threaded applications. 48 | kernel.core_uses_pid = 1 49 | 50 | #Allow for more PIDs 51 | kernel.pid_max = 65535 52 | 53 | # The contents of /proc//maps and smaps files are only visible to 54 | # readers that are allowed to ptrace() the process 55 | kernel.maps_protect = 1 56 | 57 | #Enable ExecShield protection 58 | kernel.exec-shield = 1 59 | kernel.randomize_va_space = 2 60 | 61 | # Controls the maximum size of a message, in bytes 62 | kernel.msgmnb = 65535 63 | 64 | # Controls the default maxmimum size of a mesage queue 65 | kernel.msgmax = 65535 66 | 67 | # Restrict core dumps 68 | fs.suid_dumpable = 0 69 | 70 | # Hide exposed kernel pointers 71 | kernel.kptr_restrict = 1 72 | 73 | 74 | 75 | ### 76 | ### IMPROVE SYSTEM MEMORY MANAGEMENT ### 77 | ### 78 | 79 | # Increase size of file handles and inode cache 80 | fs.file-max = 209708 81 | 82 | # Do less swapping 83 | vm.swappiness = 30 84 | vm.dirty_ratio = 30 85 | vm.dirty_background_ratio = 5 86 | 87 | # specifies the minimum virtual address that a process is allowed to mmap 88 | vm.mmap_min_addr = 4096 89 | 90 | # 50% overcommitment of available memory 91 | vm.overcommit_ratio = 50 92 | vm.overcommit_memory = 0 93 | 94 | # Set maximum amount of memory allocated to shm to 256MB 95 | kernel.shmmax = 268435456 96 | kernel.shmall = 268435456 97 | 98 | # Keep at least 64MB of free RAM space available 99 | vm.min_free_kbytes = 65535 100 | 101 | 102 | 103 | ### 104 | ### GENERAL NETWORK SECURITY OPTIONS ### 105 | ### 106 | 107 | #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) 108 | net.ipv4.tcp_syncookies = 1 109 | net.ipv4.tcp_syn_retries = 2 110 | net.ipv4.tcp_synack_retries = 2 111 | net.ipv4.tcp_max_syn_backlog = 4096 112 | 113 | # Disables packet forwarding 114 | net.ipv4.ip_forward = 0 115 | net.ipv4.conf.all.forwarding = 0 116 | net.ipv4.conf.default.forwarding = 0 117 | net.ipv6.conf.all.forwarding = 0 118 | net.ipv6.conf.default.forwarding = 0 119 | 120 | # Disables IP source routing 121 | net.ipv4.conf.all.send_redirects = 0 122 | net.ipv4.conf.default.send_redirects = 0 123 | net.ipv4.conf.all.accept_source_route = 0 124 | net.ipv4.conf.default.accept_source_route = 0 125 | net.ipv6.conf.all.accept_source_route = 0 126 | net.ipv6.conf.default.accept_source_route = 0 127 | 128 | # Enable IP spoofing protection, turn on source route verification 129 | net.ipv4.conf.all.rp_filter = 1 130 | net.ipv4.conf.default.rp_filter = 1 131 | 132 | # Disable ICMP Redirect Acceptance 133 | net.ipv4.conf.all.accept_redirects = 0 134 | net.ipv4.conf.default.accept_redirects = 0 135 | net.ipv4.conf.all.secure_redirects = 0 136 | net.ipv4.conf.default.secure_redirects = 0 137 | net.ipv6.conf.all.accept_redirects = 0 138 | net.ipv6.conf.default.accept_redirects = 0 139 | 140 | # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets 141 | net.ipv4.conf.all.log_martians = 1 142 | net.ipv4.conf.default.log_martians = 1 143 | 144 | # Decrease the time default value for tcp_fin_timeout connection 145 | net.ipv4.tcp_fin_timeout = 7 146 | 147 | # Decrease the time default value for connections to keep alive 148 | net.ipv4.tcp_keepalive_time = 300 149 | net.ipv4.tcp_keepalive_probes = 5 150 | net.ipv4.tcp_keepalive_intvl = 15 151 | 152 | # Don't relay bootp 153 | net.ipv4.conf.all.bootp_relay = 0 154 | 155 | # Don't proxy arp for anyone 156 | net.ipv4.conf.all.proxy_arp = 0 157 | 158 | # Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better 159 | net.ipv4.tcp_timestamps = 1 160 | 161 | # Don't ignore directed pings 162 | net.ipv4.icmp_echo_ignore_all = 0 163 | 164 | # Enable ignoring broadcasts request 165 | net.ipv4.icmp_echo_ignore_broadcasts = 1 166 | 167 | # Enable bad error message Protection 168 | net.ipv4.icmp_ignore_bogus_error_responses = 1 169 | 170 | # Allowed local port range 171 | net.ipv4.ip_local_port_range = 16384 65535 172 | 173 | # Enable a fix for RFC1337 - time-wait assassination hazards in TCP 174 | net.ipv4.tcp_rfc1337 = 1 175 | 176 | # Do not auto-configure IPv6 177 | net.ipv6.conf.all.autoconf=0 178 | net.ipv6.conf.all.accept_ra=0 179 | net.ipv6.conf.default.autoconf=0 180 | net.ipv6.conf.default.accept_ra=0 181 | net.ipv6.conf.eth0.autoconf=0 182 | net.ipv6.conf.eth0.accept_ra=0 183 | 184 | 185 | 186 | ### 187 | ### TUNING NETWORK PERFORMANCE ### 188 | ### 189 | 190 | # For high-bandwidth low-latency networks, use 'htcp' congestion control 191 | # Do a 'modprobe tcp_htcp' first 192 | net.ipv4.tcp_congestion_control = htcp 193 | 194 | # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12) 195 | net.core.default_qdisc = fq 196 | 197 | # Turn on the tcp_window_scaling 198 | net.ipv4.tcp_window_scaling = 1 199 | 200 | # Increase the read-buffer space allocatable 201 | net.ipv4.tcp_rmem = 8192 87380 16777216 202 | net.ipv4.udp_rmem_min = 16384 203 | net.core.rmem_default = 262144 204 | net.core.rmem_max = 16777216 205 | 206 | # Increase the write-buffer-space allocatable 207 | net.ipv4.tcp_wmem = 8192 65536 16777216 208 | net.ipv4.udp_wmem_min = 16384 209 | net.core.wmem_default = 262144 210 | net.core.wmem_max = 16777216 211 | 212 | # Increase number of incoming connections 213 | net.core.somaxconn = 32768 214 | 215 | # Increase number of incoming connections backlog 216 | net.core.netdev_max_backlog = 16384 217 | net.core.dev_weight = 64 218 | 219 | # Increase the maximum amount of option memory buffers 220 | net.core.optmem_max = 65535 221 | 222 | # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks 223 | net.ipv4.tcp_max_tw_buckets = 1440000 224 | 225 | # try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT) 226 | net.ipv4.tcp_tw_recycle = 0 227 | net.ipv4.tcp_tw_reuse = 1 228 | 229 | # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory 230 | net.ipv4.tcp_max_orphans = 16384 231 | net.ipv4.tcp_orphan_retries = 0 232 | 233 | # Increase the maximum memory used to reassemble IP fragments 234 | net.ipv4.ipfrag_high_thresh = 512000 235 | net.ipv4.ipfrag_low_thresh = 446464 236 | 237 | # don't cache ssthresh from previous connection 238 | net.ipv4.tcp_no_metrics_save = 1 239 | net.ipv4.tcp_moderate_rcvbuf = 1 240 | 241 | # Increase size of RPC datagram queue length 242 | net.unix.max_dgram_qlen = 50 243 | 244 | # Don't allow the arp table to become bigger than this 245 | net.ipv4.neigh.default.gc_thresh3 = 2048 246 | 247 | # Tell the gc when to become aggressive with arp table cleaning. 248 | # Adjust this based on size of the LAN. 1024 is suitable for most /24 networks 249 | net.ipv4.neigh.default.gc_thresh2 = 1024 250 | 251 | # Adjust where the gc will leave arp table alone - set to 32. 252 | net.ipv4.neigh.default.gc_thresh1 = 32 253 | 254 | # Adjust to arp table gc to clean-up more often 255 | net.ipv4.neigh.default.gc_interval = 30 256 | 257 | # Increase TCP queue length 258 | net.ipv4.neigh.default.proxy_qlen = 96 259 | net.ipv4.neigh.default.unres_qlen = 6 260 | 261 | # Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you 262 | net.ipv4.tcp_ecn = 1 263 | net.ipv4.tcp_reordering = 3 264 | 265 | # How many times to retry killing an alive TCP connection 266 | net.ipv4.tcp_retries2 = 15 267 | net.ipv4.tcp_retries1 = 3 268 | 269 | # Avoid falling back to slow start after a connection goes idle 270 | # keeps our cwnd large with the keep alive connections (kernel > 3.6) 271 | net.ipv4.tcp_slow_start_after_idle = 0 272 | 273 | # Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7) 274 | net.ipv4.tcp_fastopen = 3 275 | 276 | # This will enusre that immediatly subsequent connections use the new values 277 | net.ipv4.route.flush = 1 278 | net.ipv6.route.flush = 1 279 | 280 | 281 | 282 | ### 283 | ### Comments/suggestions/additions are welcome! 284 | ### 285 | 286 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Optimizing System Performance for SIP servers 2 | 3 | There are many guides online about Linux kernel and TCP/UDP tuning, I tried to sum the most useful and detailed Linux kernel useful to scale and handle more concurrent connections on a SIP server such as Asterisk or Kamailio. 4 | 5 | This is the **/etc/sysctl.conf** file I use on my servers (CentOS 6): 6 | 7 | ``` 8 | # 9 | # Tunned Kernel sysctl configuration file for Linux 10 | # 11 | # Version 1.0 - 2018-02-15 12 | # Rebtel - 13 | # 14 | # This file should be saved in /etc/sysctl.d/ and can be activated using the command: 15 | # sysctl -e -p /etc/sysctl.d/70-rebtel-tuning.conf 16 | # 17 | 18 | # Disable ipv6 19 | net.ipv6.conf.all.disable_ipv6 = 1 20 | net.ipv6.conf.default.disable_ipv6 = 1 21 | net.ipv6.conf.lo.disable_ipv6 = 0 22 | 23 | # Usually SIP uses TCP or UDP to carry the SIP signaling messages over the internet (<=> TCP/UDP sockets). 24 | # The receive buffer (socket receive buffer) holds the received data until it is read by the application. 25 | # The send buffer (socket transmit buffer) holds the data until it is read by the underling protocol in the network stack. 26 | 27 | #net.core.rmem_max = 10485760 28 | #net.core.rmem_max = 12582912 29 | #net.core.rmem_max = 33554432 30 | net.core.rmem_max = 67108864 31 | 32 | #net.core.wmem_max = 10485760 33 | #net.core.wmem_max = 12582912 34 | net.core.wmem_max = 33554432 35 | 36 | #net.core.rmem_default = 10485760 37 | net.core.rmem_default = 31457280 38 | #net.core.wmem_default = 10485760 39 | net.core.wmem_default = 31457280 40 | 41 | net.ipv4.tcp_rmem = 10240 87380 10485760 42 | net.ipv4.tcp_wmem= 10240 87380 10485760 43 | 44 | # Increase the write-buffer-space allocatable 45 | net.ipv4.udp_rmem_min = 131072 46 | net.ipv4.udp_wmem_min = 131072 47 | # net.ipv4.udp_mem = 65536 131072 262144 48 | net.ipv4.udp_mem = 19257652 19257652 19257652 49 | net.ipv4.tcp_mem = 786432 1048576 26777216 50 | 51 | # Increase the maximum amount of option memory buffers 52 | net.core.optmem_max = 25165824 53 | 54 | # allow services to bind to the virtual ip even when this server is the passive machine 55 | net.ipv4.ip_nonlocal_bind = 1 56 | 57 | # Disable TCP timestamp (RFC 1321): TCP timestamp feature allows round trip time measurement (<=> Adding 8 bytes to TCP header). 58 | # To avoid this overhead we disable this feature: 59 | net.ipv4.tcp_timestamps = 0 60 | 61 | # Enable window scaling: 62 | net.ipv4.tcp_window_scaling = 1 63 | 64 | # Disable select acknowledgements (SACK): 65 | net.ipv4.tcp_sack = 1 66 | 67 | # Disable cache metrics so the initial conditions of the closed connections will not be saved to be used in near future connections: 68 | net.ipv4.tcp_no_metrics_save = 1 69 | 70 | # Tune the value of "backlog" (maximum queue length of pending connections "Waiting Acknowledgment"): 71 | net.ipv4.tcp_max_syn_backlog = 300000 72 | 73 | # Set the value of somaxconn. This is the Max value of the backlog. The default value is 128. 74 | # If the backlog is greater than somaxconn, it will truncated to it. 75 | net.core.somaxconn = 65535 76 | 77 | # The kernel parameter "netdev_max_backlog" is the maximum size of the receive queue. 78 | net.core.netdev_max_backlog = 300000 79 | 80 | # TIME_WAIT TCP socket state is the state where the socket is closed but waiting to handle the packets which are still in the network. 81 | # The parameter tcp_max_tw_buckets is the maximum number of sockets in TIME_WAIT state. 82 | # After reaching this number the system will start destroying the socket in this state. 83 | # Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks 84 | net.ipv4.tcp_max_tw_buckets = 1440000 85 | net.ipv4.tcp_tw_recycle = 1 86 | net.ipv4.tcp_tw_reuse = 1 87 | 88 | # How often the keepalive packets will be sent to keep the connection alive 89 | # Set the keep-alives to less than 600 seconds to ensure that connections 90 | # are refreshed before the GCP timeout occurs 91 | net.ipv4.tcp_keepalive_time = 60 92 | net.ipv4.tcp_keepalive_probes = 5 93 | # time to wait for a reply on each keepalive probe 94 | net.ipv4.tcp_keepalive_intvl = 60 95 | 96 | # how many times to retry before killing an alive TCP connection 97 | net.ipv4.tcp_retries2 = 5 98 | 99 | # how many times to retransmit the initial SYN packet 100 | net.ipv4.tcp_syn_retries = 5 101 | 102 | # Decrease the time default value for tcp_fin_timeout connection 103 | net.ipv4.tcp_fin_timeout = 15 104 | 105 | # check if the forwarding is necessary for rtprngine and rtpproxy 106 | #net.ipv4.ip_forward=1 107 | 108 | # change the maximum number of open files 109 | # be sure that /proc/sys/fs/inode-max is 3-4 times the new value of 110 | # /proc/sys/fs/file-max, or you will run out of inodes. 111 | # The upper limit on fs.file-max is recorded in fs.nr_open (which is 1024*1024) 112 | fs.file-max = 500000 113 | 114 | # The value 0 makes the kernel swap only to avoid out of memory condition. 115 | # Do less swapping 116 | vm.swappiness = 10 117 | vm.dirty_ratio = 60 118 | vm.dirty_background_ratio = 2 119 | 120 | # The default operating system limits on mmap counts is likely to be too low 121 | # used by vmtouch 122 | vm.max_map_count=262144 123 | 124 | # the maximum size (in bytes) of a single shared segment that a Linux process can allocate in its virtual address space. 125 | # 1/2 of physical RAM, shared memory segment theoretically is 2^64bytes. This is correspond to all physical RAM that you have. 126 | kernel.shmmax = 1073741824 127 | 128 | # total port range 129 | net.ipv4.ip_local_port_range = 1024 65535 130 | 131 | 132 | # Provide protection from ToCToU races 133 | fs.protected_hardlinks=1 134 | 135 | # Provide protection from ToCToU races 136 | fs.protected_symlinks=1 137 | 138 | # Make locating kernel addresses more difficult 139 | kernel.kptr_restrict=1 140 | 141 | # Set ptrace protections 142 | kernel.yama.ptrace_scope=1 143 | 144 | # Set perf only available to root 145 | kernel.perf_event_paranoid=2 146 | 147 | # Turn on SYN-flood protections. Starting with 2.6.26, there is no loss 148 | # of TCP functionality/features under normal conditions. When flood 149 | # protections kick in under high unanswered-SYN load, the system 150 | # should remain more stable, with a trade off of some loss of TCP 151 | # functionality/features (e.g. TCP Window scaling). 152 | net.ipv4.tcp_syncookies=1 153 | 154 | # Ignore source-routed packets 155 | net.ipv4.conf.all.accept_source_route=0 156 | net.ipv4.conf.default.accept_source_route=0 157 | 158 | # Ignore ICMP redirects from non-GW hosts 159 | net.ipv4.conf.all.accept_redirects=0 160 | net.ipv4.conf.default.accept_redirects=0 161 | net.ipv4.conf.all.secure_redirects=1 162 | net.ipv4.conf.default.secure_redirects=1 163 | 164 | # Don't pass traffic between networks or act as a router 165 | net.ipv4.ip_forward=0 166 | net.ipv4.conf.all.send_redirects=0 167 | net.ipv4.conf.default.send_redirects=0 168 | 169 | # Turn on Source Address Verification in all interfaces to 170 | # prevent some spoofing attacks. 171 | net.ipv4.conf.all.rp_filter=1 172 | net.ipv4.conf.default.rp_filter=1 173 | 174 | # Ignore ICMP broadcasts to avoid participating in Smurf attacks 175 | net.ipv4.icmp_echo_ignore_broadcasts=1 176 | 177 | # Ignore bad ICMP errors 178 | net.ipv4.icmp_ignore_bogus_error_responses=1 179 | 180 | # Log spoofed, source-routed, and redirect packets 181 | net.ipv4.conf.all.log_martians=1 182 | net.ipv4.conf.default.log_martians=1 183 | 184 | # RFC 1337 fix 185 | net.ipv4.tcp_rfc1337=1 186 | 187 | # Addresses of mmap base, heap, stack and VDSO page are randomized 188 | kernel.randomize_va_space=2 189 | 190 | # Reboot the machine soon after a kernel panic. 191 | kernel.panic=10 192 | ``` 193 | 194 | And this is the **/etc/security/limits.conf** : 195 | 196 | ``` 197 | # 198 | # Limits configuration for ulimit. 199 | # 200 | # Version 1.0 - 2018-02-21 201 | # Rebtel - 202 | # 203 | # This file should be saved in /etc/security/limits.d and can be activated by closing all 204 | # active sessions of the concerned user: 205 | # ulimit -a 206 | # 207 | # maximum number of open files 208 | # don't use value upper than fs.file-max 209 | root soft nofile 102400 210 | root hard nofile 102400 211 | # limits the core file size (KB) 212 | root soft core unlimited 213 | # maximum data size (KB) 214 | root soft data unlimited 215 | # maximum filesize (KB) 216 | root soft fsize unlimited 217 | # maximum locked-in-memory address space (KB) 218 | root soft memlock unlimited 219 | root hard memlock unlimited 220 | # maximum resident set size (KB) (Ignored in Linux 2.4.30 and higher) 221 | # root soft rss unlimited 222 | # maximum stack size (KB) 223 | root soft stack unlimited 224 | root hard stack unlimited 225 | # maximum CPU time (minutes) 226 | root soft cpu unlimited 227 | # maximum number of processes 228 | root soft nproc unlimited 229 | root hard nproc unlimited 230 | # address space limit (KB) 231 | root soft as unlimited 232 | # the priority to run user process with (negative values boost process priority) 233 | root soft priority -11 234 | # maximum locked files (Linux 2.4 and higher) 235 | root soft locks unlimited 236 | # maximum number of pending signals (Linux 2.6 and higher) 237 | root soft sigpending unlimited 238 | root hard sigpending unlimited 239 | # maximum memory used by POSIX message queues (bytes) (Linux 2.6 and higher) 240 | root soft msgqueue unlimited 241 | root hard msgqueue unlimited 242 | # maximum nice priority allowed to raise to (Linux 2.6.12 and higher) values: [-20,19] 243 | root soft nice -11 244 | ``` 245 | 246 | To add a new user limits, you can copy paste this file in `/etc/security/limits.d/` and replace root by your process name. 247 | 248 | **Example** for asterisk: 249 | 250 | ``` 251 | # sed -i 's/root/asterisk/g' 50-asterisk.limits.conf 252 | ``` 253 | 254 | # Increasing the Limit in Systemd 255 | 256 | > Note that systemd ignores limits set in the /etc/security/limits.conf and /etc/security/limits.d/*.conf configuration files. The limits defined in these files are set by PAM when starting a login session, but daemons started by systemd do not use PAM login sessions. 257 | 258 | ### Asterisk service `/usr/lib/systemd/system/asterisk.service` 259 | 260 | ``` 261 | [Unit] 262 | Description=Asterisk PBX and telephony daemon. 263 | After=network.target 264 | 265 | [Service] 266 | Type=simple 267 | Environment=HOME=/var/lib/asterisk 268 | WorkingDirectory=/var/lib/asterisk 269 | User=asterisk 270 | Group=asterisk 271 | ExecStart=/usr/sbin/asterisk -f -C /etc/asterisk/asterisk.conf 272 | ExecStop=/usr/sbin/asterisk -rx 'core stop now' 273 | ExecReload=/usr/sbin/asterisk -rx 'core reload' 274 | 275 | # To emulate some of the features of the safe_asterisk script, copy 276 | # this file to /etc/systemd/system/asterisk.service and uncomment one 277 | # or more of the following lines. For more information on what these 278 | # parameters mean see: 279 | # 280 | # http://0pointer.de/public/systemd-man/systemd.service.html 281 | # http://0pointer.de/public/systemd-man/systemd.exec.html 282 | 283 | Nice=1 284 | #UMask=0002 285 | LimitCORE=infinity 286 | LimitNPROC=infinity 287 | LimitAS=infinity 288 | LimitRSS=infinity 289 | LimitDATA=infinity 290 | LimitFSIZE=infinity 291 | TimeoutSec=300 292 | LimitNOFILE=1024000 293 | LimitSTACK=infinity 294 | TasksMax=infinity 295 | LimitRTPRIO=70 296 | MemoryLimit=infinity 297 | LimitSIGPENDING=infinity 298 | LimitMSGQUEUE=infinity 299 | LimitMEMLOCK=infinity 300 | 301 | #Restart=always 302 | #RestartSec=4 303 | 304 | # If you uncomment the following you should add '-c' to the ExecStart line above 305 | 306 | #TTYPath=/dev/tty7 307 | #StandardInput=tty 308 | #StandardOutput=tty 309 | #StandardError=tty 310 | 311 | PrivateTmp=true 312 | 313 | [Install] 314 | WantedBy=multi-user.target 315 | *Note that systemd ignores limits set in the /etc/security/limits.conf and /etc/security/limits.d/*.conf configuration files. The limits defined in these files are set by PAM when starting a login session, but daemons started by systemd do not use PAM login sessions.* 316 | ``` 317 | to check the limits you can use: 318 | 319 | ``` 320 | # cat /proc/`pidof asterisk`/limits 321 | Limit Soft Limit Hard Limit Units 322 | Max cpu time unlimited unlimited seconds 323 | Max file size unlimited unlimited bytes 324 | Max data size unlimited unlimited bytes 325 | Max stack size unlimited unlimited bytes 326 | Max core file size unlimited unlimited bytes 327 | Max resident set unlimited unlimited bytes 328 | Max processes unlimited unlimited processes 329 | Max open files 1024000 1024000 files 330 | Max locked memory unlimited unlimited bytes 331 | Max address space unlimited unlimited bytes 332 | Max file locks unlimited unlimited locks 333 | Max pending signals unlimited unlimited signals 334 | Max msgqueue size unlimited unlimited bytes 335 | Max nice priority 0 0 336 | Max realtime priority 70 70 337 | Max realtime timeout unlimited unlimited us 338 | ``` 339 | 340 | RESOURCE | DESCRIPTION 341 | ----------- | ------------- 342 | AS | address space limit 343 | CORE | max core file size 344 | CPU | CPU time 345 | DATA | max data size 346 | FSIZE | max file size 347 | LOCKS | max number of file locks held 348 | MEMLOCK | max locked-in-memory address space 349 | MSGQUEUE | max bytes in POSIX mqueues 350 | NICE | max nice prio allowed to raise 351 | NOFILE | max number of open files 352 | NPROC | max number of processes 353 | RSS | max resident set size 354 | RTPRIO | max real-time priority 355 | RTTIME | timeout for real-time tasks 356 | SIGPENDING | max number of pending signals 357 | STACK | max stack size 358 | 359 | ## Reference 360 | 361 | * [Linux Tuning For SIP Routers](https://voipmagazine.wordpress.com/2014/12/13/linux-tuning-for-sip-routers-part-1-interrupts-and-irq-tuning/) 362 | 363 | * [Google Cloud Kernel security settings](https://cloud.google.com/compute/docs/images/building-custom-os#kernelsecurity) 364 | 365 | * [Sysctl tuning for optimized system performance](https://mindless.atlassian.net/wiki/spaces/Linux/pages/1114116/Sysctl+tuning+for+optimized+system+performance) 366 | 367 | * [Securing Network Access](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-securing_network_access) 368 | 369 | * [CREATING AND MODIFYING SYSTEMD UNIT FILES](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/sect-managing_services_with_systemd-unit_files) 370 | --------------------------------------------------------------------------------