使用sysctl进行Linux安全性和性能调整。

sysctl.conf

以下是我们在CentOS服务器上使用的/etc/sysctl.conf文件的内容。

# Kernel sysctl configuration file for Linux
## By: www.theitroad.local
## Tested on a Red Hat server with physical memory of 2GB
## For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.
## References
# https://www.suse.com/documentation/sles-12/book_hardening/data/sec_sec_prot_general_kernel.html
# https://wiki.archlinux.org/index.php/Sysctl
# https://rtcamp.com/tutorials/linux/sysctl-conf/
# http://seriousbirder.com/blogs/centos-6-setting-shmmax-and-shmall-kernel-paramaters/
# http://kaivanov.blogspot.co.uk/2010/09/linux-tcp-tuning.html
# Any process which has changed privilege levels
# or is execute only will not be dumped (default)
fs.suid_dumpable = 0
# File handle limit
fs.file-max=6577347###

Memory Tuning
########################################
# Use swap file when 内存 usage is around 40 percent
vm.swappiness = 60
# Controls the maximum number of shared memory segments, in pages (not bytes)
# It is almost always 4K which is the recommended size
# To be safe, run the following command:
# getconf PAGE_SIZE => 4096
# Allocating 1GB below (1*1024*1024*1024/4096=262144)
kernel.shmall = 262144
# Control the maximum size of a single shared memory segment, in bytes
# Setting to half (1GB) of our physical memory
kernel.shmmax = 1073741824###

Kernel Hardening
########################################
# Reboot a system after 10 seconds of kernel panic
kernel.panic = 10
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
# Restricting access to kernel logs
kernel.dmesg_restrict = 1
# If you're compiling your own kernel, then
# this can help mitigating local root exploits
kernel.kptr_restrict = 1
# Controls the default maxmimum size of a message queue
kernel.msgmnb = 65536
# Controls the maximum size of a message, in bytes
kernel.msgmax = 65536
# Enable ExecShield protection
kernel.exec-shield = 1
# Enable by default, except if the application bits are set to "disable"
kernel.randomize_va_space = 2
# Default
kernel.pid_max = 32768
# Increase the length of the processor input queue
net.core.netdev_max_backlog = 5000
# The maximum number of "backlogged sockets". Default
net.core.somaxconn = 128
# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0###

TCP/IP Stack Hardening
########################################
# Controls IP packet forwarding.
# Set this value to 1 to turn the server into a router
net.ipv4.ip_forward = 0
# Disable fast recycling of TIME_WAIT sockets.
# Enabling fast recycling of TIME_WAIT sockets is usually
# a bad idea as it will cause you a lot of problems when working with NAT
net.ipv4.tcp_tw_recycle = 0
# Do not allow reuse of sockets in TIME_WAIT state for new connections
net.ipv4.tcp_tw_reuse = 0
# Help prevent against SYN flood attacks
net.ipv4.tcp_syncookies = 1
# If set to 0, protect against wrapping sequence numbers.
# Turning off timestamps Jan do more harm than good, see below.
# TCP timestamps are used to improve performance as well as protect 
# against late packets messing up your data flow. If you disable TCP timestamps 
# you should expect worse performance and less reliable connections.
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_sack = 1
# Enable windows scaling
net.ipv4.tcp_window_scaling = 1
# Maximum receive and send window size 16MB
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
# Increase the read-buffer and write-buffer space allocatable
# Autotuning TCP buffer limit 16MB
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Disable redirects, not a router
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Enable source validation by reversed path
# Protects from attackers that are using ip spoofing methods to do harm
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log packets with impossible addresses to kernel log
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Ignore all ECHO broadcast requests
# Prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_ignore_bogus_error_messages = 1
# Allowed local port range
net.ipv4.ip_local_port_range = 9000 65535
# The minimum time sockets will stay in TIME_WAIT state
net.ipv4.tcp_fin_timeout = 60###

IPv6
########################################
# Disable IPv6 except for localhost
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
# Enable source validation by reversed path
# Protects from attackers that are using ip spoofing methods to do harm
net.ipv6.conf.all.rp_filter = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
# Disable redirects, not a router
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

可用值和文档

要显示当前可用的所有值，请执行以下操作：

# sysctl -a

要获取有关可能的设置的更多信息，我们需要安装包含内核文档文件的软件包：

# yum info kernel-doc

安装软件包后，此处应提供文档：

/usr/share/doc/kernel-doc-kernel_version/Documentation /

例如，要了解ip_forward的含义，我们需要查看以下与网络相关的内核文档文件：

/usr/share/doc/kernel-doc-3.10.0/Documentation/networking/ip-sysctl.txt

如果我们不确定要查看哪个文件，则查找信息可能会很棘手，因此最快的方法可能是grep为我们感兴趣的内核参数。