Fine-Tuning Linux Kernel Parameters with sysctl.conf for Web and FTP Servers

The sysctl interface provides a powerful way to modify the behavior of a running Linux kernel. By editing the /etc/sysctl.conf file, you can persistently configure various networking and system settings to optimize your server for specific workloads. This post focuses on using sysctl.conf to improve the performance and security of web servers (like Apache or Nginx) and FTP servers. Applying these settings can significantly enhance resource utilization, prevent common attacks, and ensure a more stable and responsive server environment.

Here’s a breakdown of key sysctl parameters and how they can be used:

UNDERSTANDING `sysctl`

sysctl allows dynamic adjustment of kernel parameters without requiring a system reboot. Changes made directly using the sysctl command are temporary and will be lost on the next reboot. To make changes permanent, you need to modify the /etc/sysctl.conf file. After editing this file, run sysctl -p to apply the new settings.

The parameters in sysctl.conf are organized into categories, generally prefixed with net., fs., vm., or kernel.. Each parameter controls a specific aspect of the kernel’s behavior.

ENHANCING SYSTEM SECURITY

sysctl.conf offers several security-related parameters that can harden your server against various attacks:

IPv4/IPv6 Network Traffic Limits: These settings restrict the types of network traffic allowed, mitigating potential vulnerabilities. (Example configurations not provided - consider adding them).
Execshield Protection: Enables protection against buffer overflow attacks by marking memory regions as non-executable. (Example configurations not provided - consider adding them).
SYN Flood Attack Prevention: Helps to prevent SYN flood attacks, a common Denial-of-Service (DoS) attack, by limiting the number of unacknowledged SYN packets. (Example configurations not provided - consider adding them).
Source IP Address Verification: Enables verification of source IP addresses, preventing attackers from spoofing IP addresses. (Example configurations not provided - consider adding them).
Suspicious Packet Logging: Logs suspicious network packets, such as spoofed packets, source-routed packets, and redirects, allowing for investigation of potential attacks. (Example configurations not provided - consider adding them).

IMPROVING SYSTEM MEMORY MANAGEMENT

Effective memory management is crucial for server performance. Here are some key parameters:

fs.file-max: Increasing the number of file handles.

```
# Increase size of file handles and inode cache
fs.file-max = 2097152
```

*Explanation:* This parameter defines the maximum number of file handles that the kernel can allocate.  Increasing this value is especially important for servers that handle a large number of files, such as web servers or file servers.  A higher value reduces the likelihood of running out of file handles, preventing errors and improving stability.

vm.dirty_ratio, vm.swappiness, and vm.dirty_background_ratio: Configuring virtual memory behavior.

```
# Do less swapping
vm.dirty_ratio = 60
vm.swappiness = 10
vm.dirty_background_ratio = 2
```

*Explanation:*

*   `vm.dirty_ratio`: Specifies the percentage of total system memory that can be filled with "dirty" pages (pages that have been modified but not yet written to disk).  A higher value allows more data to be buffered in memory, potentially improving write performance.
*   `vm.swappiness`: Controls how aggressively the kernel uses swap space. A lower value (e.g., 10) tells the kernel to prefer keeping data in RAM and only swap when absolutely necessary. This is generally desirable for servers, as swapping can significantly slow down performance.
*   `vm.dirty_background_ratio`:  Specifies the percentage of total system memory at which the `pdflush` background writeback daemon starts writing dirty data to disk. Lowering this value (e.g. 2) will result in more frequent, smaller flushes, better for web/nginx systems.

GENERAL NETWORK SECURITY OPTIONS

These settings improve network security and performance by tuning TCP/IP stack behavior.

net.ipv4.tcp_synack_retries: Limiting SYN-ACK retransmissions.

net.ipv4.ip_local_port_range: Defining the local port range.

net.ipv4.tcp_rfc1337: Enabling RFC1337 compliance.

net.ipv4.tcp_fin_timeout: Adjusting the FIN-WAIT-2 timeout.

net.ipv4.tcp_keepalive_time, net.ipv4.tcp_keepalive_probes, net.ipv4.tcp_keepalive_intvl: Configuring TCP keepalive settings.

```
# Number of times SYNACKs for passive TCP connection.
net.ipv4.tcp_synack_retries = 2

# Allowed local port range
net.ipv4.ip_local_port_range = 2000 65535

# Protect Against TCP Time-Wait
net.ipv4.tcp_rfc1337 = 1

# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15

# Decrease the time default value for connections to keep alive
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
```

*Explanation:*

*   `net.ipv4.tcp_synack_retries`:  Determines the number of times the kernel retransmits SYN-ACK packets in response to a SYN packet (the first step in the TCP handshake). Reducing this value can help mitigate SYN flood attacks by quickly dropping connections from attackers.

*   `net.ipv4.ip_local_port_range`: Specifies the range of port numbers that the kernel can use for outgoing connections. Increasing this range can allow the server to handle more concurrent connections.  The suggested range is a common and safe choice.

*   `net.ipv4.tcp_rfc1337`: Enabling this setting makes the TCP stack behave strictly according to RFC1337, which defines how to handle TCP connections that are abruptly terminated.  Setting it to 1 helps prevent `TIME_WAIT` assassination.

*   `net.ipv4.tcp_fin_timeout`:  Defines how long the kernel keeps a socket in the `FIN-WAIT-2` state after the connection has been closed by the local end. Reducing this timeout frees up resources more quickly.

*   `net.ipv4.tcp_keepalive_time`: Specifies how long a connection can remain idle before the kernel starts sending keepalive probes.
*   `net.ipv4.tcp_keepalive_probes`:  Sets the number of keepalive probes that will be sent before the kernel considers the connection dead.
*   `net.ipv4.tcp_keepalive_intvl`:  Determines the interval between keepalive probes.  These three parameters work together to detect and close dead connections, freeing up resources.  The given values are more aggressive than the defaults, suitable for busy servers.

TUNING NETWORK PERFORMANCE

These parameters are crucial for optimizing network throughput and handling a high volume of connections.

### TUNING NETWORK PERFORMANCE ###

# Default Socket Receive Buffer - NOTE: This will be overridden by tcp_rmem
net.core.rmem_default = 31457280

# Maximum Socket Receive Buffer - NOTE: This value will NOT be Overridden by tcp_rmem
net.core.rmem_max = 12582912

# Default Socket Send Buffer - NOTE: This will be overridden by tcp_wmem
net.core.wmem_default = 31457280

# Maximum Socket Send Buffer - NOTE: This value will NOT be Overridden by tcp_wmem
net.core.wmem_max = 12582912

# Increase number of incoming connections
net.core.somaxconn = 65536

# Increase number of incoming connections backlog
net.core.netdev_max_backlog = 65536

# Increase the maximum amount of option memory buffers
net.core.optmem_max = 25165824

# Increase the maximum total buffer-space allocatable
# This is measured in units of pages (4096 bytes)
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144

# Increase the read-buffer space allocatable
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384

# Increase the write-buffer-space allocatable
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384

# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

Explanation:

net.core.rmem_default and net.core.rmem_max: These parameters control the default and maximum sizes of the receive buffer for all socket types. Larger buffers can improve performance by allowing the kernel to receive more data at once.
net.core.wmem_default and net.core.wmem_max: These parameters control the default and maximum sizes of the send buffer for all socket types. Similar to receive buffers, larger send buffers can improve performance.
net.core.somaxconn: Determines the maximum number of pending connections that a socket can hold. Increasing this value is crucial for high-traffic web servers, preventing connection refusals.
net.core.netdev_max_backlog: Specifies the maximum number of packets that can be queued on a network interface. Increasing this value can help prevent packet loss under heavy load.
net.core.optmem_max: Sets the maximum amount of memory used for socket options.
net.ipv4.tcp_mem and net.ipv4.udp_mem: Control the amount of memory allocated for TCP and UDP buffers, respectively. The three values represent: min, pressure, and max.
net.ipv4.tcp_rmem and net.ipv4.tcp_wmem: Define the TCP receive and send buffer sizes. The three values represent: min, default, and max.
net.ipv4.udp_rmem_min and net.ipv4.udp_wmem_min: Define the minimum UDP receive and send buffer sizes.
net.ipv4.tcp_max_tw_buckets: Controls the maximum number of TCP sockets in the TIME_WAIT state. Increasing this value can help prevent errors caused by running out of available sockets, especially under heavy load.
net.ipv4.tcp_tw_recycle: Enables rapid recycling of TCP sockets in TIME_WAIT state. Note: This option is generally not recommended for public-facing servers as it can cause problems with NAT (Network Address Translation).
net.ipv4.tcp_tw_reuse: Allows the kernel to reuse TCP sockets in TIME_WAIT state for new connections. This is generally considered safer than tcp_tw_recycle.

IMPORTANT CONSIDERATIONS

Testing: Always test changes to sysctl.conf in a non-production environment before applying them to a live server. Incorrect settings can negatively impact performance or stability.
Hardware: The optimal sysctl settings depend on the server’s hardware configuration (CPU, RAM, network interface) and the specific workload.
Monitoring: Monitor server performance after making changes to sysctl.conf to ensure that the changes are having the desired effect. Tools like top, vmstat, and netstat can be helpful.
Documentation: Refer to the Linux kernel documentation for detailed information on each sysctl parameter.

By carefully tuning the sysctl.conf file, you can significantly improve the performance, security, and stability of your web and FTP servers. Remember to test thoroughly and monitor your server’s performance to ensure optimal results.

Share on

Twitter Facebook Google+ LinkedIn

Fine-Tuning Linux Kernel Parameters with `sysctl.conf` for Web and FTP Servers

AHMED ZBYR

UNDERSTANDING `sysctl`

ENHANCING SYSTEM SECURITY

IMPROVING SYSTEM MEMORY MANAGEMENT

GENERAL NETWORK SECURITY OPTIONS

TUNING NETWORK PERFORMANCE

IMPORTANT CONSIDERATIONS

Share on

You May Also Enjoy

Automating Firestore Health Checks with `Terraform` `Cloud Functions` `Cloud Monitoring`.

Monitoring Firestore Health - A Python-Based Uptime Check

Securely Manage Secrets with Google Cloud Secret Manager and Python

Datastream Workflow - Cloud SQL (MySQL) to BigQuery via Cloud Auth Proxy

Fine-Tuning Linux Kernel Parameters with sysctl.conf for Web and FTP Servers

AHMED ZBYR

UNDERSTANDING sysctl

ENHANCING SYSTEM SECURITY

IMPROVING SYSTEM MEMORY MANAGEMENT

GENERAL NETWORK SECURITY OPTIONS

TUNING NETWORK PERFORMANCE

IMPORTANT CONSIDERATIONS

Share on

You May Also Enjoy

Automating Firestore Health Checks with Terraform Cloud Functions Cloud Monitoring.

Monitoring Firestore Health - A Python-Based Uptime Check

Securely Manage Secrets with Google Cloud Secret Manager and Python

Datastream Workflow - Cloud SQL (MySQL) to BigQuery via Cloud Auth Proxy

Fine-Tuning Linux Kernel Parameters with `sysctl.conf` for Web and FTP Servers

UNDERSTANDING `sysctl`

Automating Firestore Health Checks with `Terraform` `Cloud Functions` `Cloud Monitoring`.