vim /etc/sysctl.conf
sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
core檔名新增pid作為副檔名
kernel.core_uses_pid = 1
開syn洪水攻擊保護
net.ipv4.tcp_syncookies = 1
修改訊息佇列長度
kernel.msgmnb = 65536kernel.msgmax = 65536
設定最大記憶體共享段大小bytes
kernel.shmmax = 68719476736kernel.shmall = 4294967296
timewait的數量預設為180000
net.ipv4.tcp_max_tw_buckets = 6000net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096
87380
4194304
net.ipv4.tcp_wmem = 4096
16384
4194304
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
每個網路介面接收資料報速率比核心處理這些包的速率快時允許送到佇列資料報的最大數目
net.core.netdev_max_backlog = 262144
限制僅僅是為防止簡單的dos攻擊
net.ipv4.tcp_max_orphans = 3276800
未收到客戶端確認資訊的連線請求最大值
net.ipv4.tcp_max_syn_backlog = 262144net.ipv4.tcp_timestamps = 0
核心放棄建立連線之前傳送synack包數量
net.ipv4.tcp_synack_retries = 1
核心放棄建立連線之前傳送syn包數量
net.ipv4.tcp_syn_retries = 1
開timewait快速**
net.ipv4.tcp_tw_recycle = 1
允許將time-wait sockets重新用於新tcp連線
net.ipv4.tcp_tw_reuse = 1net.ipv4.tcp_mem = 94500000
915000000
927000000
net.ipv4.tcp_fin_timeout = 1
當keepalive起用的時候tcp傳送keepalive訊息的頻度預設是2小時
net.ipv4.tcp_keepalive_time = 30
允許系統開啟埠範圍
net.ipv4.ip_local_port_range = 102465000
修改防火牆的表大小預設65536
net.netfilter.nf_conntrack_max = 655350net.netfilter.nf_conntrack_tcp_timeout_established = 1200
確保無人能修改路由表
net.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
關閉ipv6net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1 #關閉路由** net.ipv4.ip_forward = 0 開起路由**將0改為1即可 net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0 #開啟反向路徑過濾 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 #處理無源路由的包 net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0 #關閉sysrq功能 kernel.sysrq = 0 #core檔名中新增pid作為副檔名 kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1 表示開啟syn cookies。當出現syn等待佇列溢位時,啟用cookies來處理,可防範少量syn攻擊,預設為1,表示開啟的; 表示syn佇列的長度,預設為1024,加大佇列長度為8192,可以容納更多等待連線的網路連線數 net.ipv4.tcp_max_syn_backlog = 262144 #修改訊息佇列長度 kernel.msgmnb = 65536 kernel.msgmax = 65536 #設定最大記憶體共享段大小bytes kernel.shmmax = 68719476736 kernel.shmall = 4294967296 #timewait的數量,預設180000 net.ipv4.tcp_max_tw_buckets = 6000 net.ipv4.tcp_sack = 1 net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_rmem = 4096 87380 4194304 tcp讀buffer,可參考的優化值: 32768 436600 873200 net.ipv4.tcp_wmem = 4096 16384 4194304 tcp寫buffer,可參考的優化值: 8192 436600 873200 net.core.wmem_default = 8388608 tcp寫buffer的預設值 net.core.rmem_default = 8388608 tcp讀buffer的預設值 net.core.rmem_max = 16777216 tcp寫buffer的最大值 net.core.wmem_max = 16777216 tcp寫buffer的最大值 #每個網路介面接收資料報的速率比核心處理這些包的速率快時,允許送到佇列的資料報的最大數目 net.core.netdev_max_backlog = 262144
#限制僅僅是為了防止簡單的dos 攻擊 net.ipv4.tcp_max_orphans = 3276800 #未收到客戶端確認資訊的連線請求的最大值 net.ipv4.tcp_max_syn_backlog = 262144 net.ipv4.tcp_timestamps = 0 #核心放棄建立連線之前傳送synack 包的數量 net.ipv4.tcp_synack_retries = 1 #核心放棄建立連線之前傳送syn 包的數量 net.ipv4.tcp_syn_retries = 1 #啟用timewait 快速** net.ipv4.tcp_tw_recycle = 1 #開啟重用。允許將time-wait sockets 重新用於新的tcp 連線 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_mem = 94500000 915000000 927000000 net.ipv4.tcp_fin_timeout = 1 #當keepalive 起用的時候,tcp 傳送keepalive 訊息的頻度。預設是2 小時 net.ipv4.tcp_keepalive_time = 30 #允許系統開啟的埠範圍 net.ipv4.ip_local_port_range = 1024 65000 #修改防火牆表大小,預設65536 #net.netfilter.nf_conntrack_max=655350 #net.netfilter.nf_conntrack_tcp_timeout_established=1200
net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0
centos7核心優化
sysctl p 引數 sysctl settings are defined through files in usr lib sysctl.d run sysctl.d and etc sysctl.d vendors settings live in usr lib sysctl.d to o...
centos7優化核心引數詳解
cat etc sysctl.conf ctcdn系統優化引數 關閉ipv6 net.ipv6.conf.all.disable ipv6 1 net.ipv6.conf.default.disable ipv6 1 避免放大攻擊 net.ipv4.icmp echo ignore broadcas...
centos7優化核心引數詳解
centos7優化核心引數詳解 原文 cat etc sysctl.conf ctcdn系統優化引數 關閉ipv6 net.ipv6.conf.all.disable ipv6 1 net.ipv6.conf.default.disable ipv6 1 避免放大攻擊 net.ipv4.icmp e...