This parameter indicates the maximum number of TIME_WAIT sockets allowed by the operating system. If this number is exceeded, the TIME_WAIT socket will be cleared immediately and a warning message will be printed. Default 180000, too many TIME_WAIT sockets will slow down the web server.
net.ipv4.tcp_max_tw_buckets = 1000
The default value is 1, which uses Selective ACK, which can be used to find specific missing datagrams -- thus helping to restore state quickly.
net.ipv4.tcp_sack=1
This file indicates whether the sliding window size for setting tcp/ip sessions is variable. The parameter value is a boolean value, 1 means variable, 0 means immutable.
net.ipv4.tcp_window_scaling=1
This parameter defines the minimum value, default value, and maximum value of the TCP receive buffer (used for TCP receive sliding window).
net.ipv4.tcp_rmem=4096 8388608 16777216
This parameter defines the minimum value, default value, and maximum value of the TCP send buffer (used for TCP send sliding window).
net.ipv4.tcp_wmem = 4096 8388608 16777216
Indicates the length of the SYN queue, the default is 1024, and the increased queue length is 65536, which can accommodate the maximum number of network connections waiting to be connected.
net.ipv4.tcp_max_syn_backlog=65536
When the network card is receiving packets faster than the kernel can process them, there is a queue to hold those packets. This parameter represents the maximum value of the queue. Default is 1000
net.core.netdev_max_backlog = 32768
The default parameter of listen(), the maximum number of pending requests. The default is 128. For busy servers, increasing this value can help network performance. Adjustable to 8192.
net.core.somaxconn = 65535
This parameter indicates the default size of the kernel socket receive buffer.
net.core.wmem_default=8388608
net.core.rmem_default = 8388608
This parameter indicates the default maximum size of the kernel socket (socket) read buffer (buffer).
net.core.rmem_max = 16777216
This parameter indicates the default maximum size of the kernel socket write buffer (buffer).
net.core.wmem_max = 16777216
How many retries to make before the near end drops the TCP connection. The default value is 7, which is equivalent to 50 seconds - 16 minutes, depending on the RTO. If your system is a heavily loaded web server, you may need to lower this value, such sockets may consume a lot of resources
net.ipv4.tcp_orphan_retries = 3
This file indicates whether to enable the calculation of the RTT in a more precise way than retransmission with timeout (see RFC 1323); this option should be enabled for better performance. Default is 1
net.ipv4.tcp_timestamps = 1
Reduce the time spent in FIN-WAIT-2 connection state, allowing the system to handle more connections.
If the socket is requested to be closed by the local end, this parameter determines how long it will remain in the FIN-WAIT-2 state.
The peer can make an error and never close the connection, or even crash unexpectedly. The default value is 60 seconds.
The usual value for the 2.2 kernel is 180 seconds, you can press this setting, but keep in mind that even if your machine is a lightly loaded web server, there is a risk of memory overflow due to a large number of dead sockets, FIN- WAIT-2 is less dangerous than FIN-WAIT-1 because it can only eat up to 1.5K of memory, but they have a longer lifespan.
net.ipv4.tcp_fin_timeout=20
Reduce the number of system SYN connection retries (default is 5); in order to open a connection to the peer, the kernel needs to send a SYN with an ACK in response to the previous SYN. This is the second handshake in the so-called three-way handshake. This setting determines how many SYN+ACK packets the kernel sends before giving up the connection.
net.ipv4.tcp_synack_retries=2
The number of SYN packets sent before the kernel gives up on establishing a connection.
net.ipv4.tcp_syn_retries = 2
Indicates that SYN Cookies are enabled. When the SYN waiting queue overflows, enable cookies to deal with it, which can prevent a small number of SYN attacks. The default value is 0, which means it is closed.
net.ipv4.tcp_syncookies=1
Indicates that the fast recovery function of TIME-WAIT sockets in the TCP connection is enabled. The default value is 0, which means it is closed.
net.ipv4.tcp_tw_recycle=1
Indicates that reuse is enabled. Allow TIME-WAIT sockets to be reused for new TCP connections, defaults to 0 to close.
net.ipv4.tcp_tw_reuse=1
The system can handle the maximum number of TCP sockets that do not belong to any process. If this number is exceeded, connections that do not belong to any process will be reset immediately and a warning message will be displayed. The reason to set this limit is purely to defend against those simple DoS attacks, do not rely on this or artificially lower this limit. Default setting: 8192
net.ipv4.tcp_max_orphans = 65535
This parameter defines the value range of local ports in UDP and TCP connections, that is, the range of ports that the system is allowed to open. Indicates the port range used for outgoing connections. Small by default: 32768 to 61000
net.ipv4.ip_local_port_range = 1024 65000
secure config
Turn off redirection. If the network where the host is located has multiple routers, you set one of them as the default gateway, but when the gateway receives your ip packet, it finds that the ip packet must pass through another router, so the gateway gives your host Send a "redirect" icmp packet, telling the host to forward the packet to another router. 1 means that the host accepts such redirection packets, 0 means ignore it; Linux defaults to 1, and can be set to 0 to eliminate hidden dangers.
net.ipv4.conf.default.secure_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf. default.send_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
IPv6设置
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
另外附上一份完整版的sysctl.conf
net.ipv4.tcp_max_tw_buckets = 1000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rmem = 4096 8388608 16777216
net.ipv4.tcp_wmem = 4096 8388608 16777216
net.ipv4.tcp_max_syn_backlog = 65536
net.core.netdev_max_backlog = 32768
net.core.somaxconn = 65535
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_orphan_retries = 3
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_fin_timeout = 20
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 65535
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
NET.IPV4.TCP_SYNCOOKIES = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296