UnixServerAdmin

Server Administration & Management

sysctl-tuner.sh

###############################################
# Script for sysctl tuner
###############################################

#!/bin/bash

function sysctlw {
if [ `grep -c $1 /etc/sysctl.conf` -eq 0 ]; then
echo “$1=$2” >> /etc/sysctl.conf
echo “Added sysctl preference ‘$1’=’$2′”
fi
}

echo “Tuning network stack..”

sysctlw    “net.ipv4.ip_forward”                “0”
sysctlw    “net.ipv4.conf.default.rp_filter”        “1”
sysctlw    “kernel.sysrq”                    “0”
sysctlw    “kernel.core_uses_pid”                “0”
sysctlw    “net.ipv4.ipfrag_time”                “30”
sysctlw    “net.core.rmem_default”                “262141”
sysctlw    “net.core.rmem_max”                “262141”
sysctlw    “net.ipv4.tcp_rmem”                “4096 87380 174760”
sysctlw    “net.core.wmem_default”                “262141”
sysctlw    “net.core.wmem_max”                “262141”
sysctlw    “net.ipv4.tcp_wmem”                “4096 16384 131072”
sysctlw    “net.ipv4.tcp_mem”                “195584 196096 196608”
sysctlw    “net.core.optmem_max”                “20480”
sysctlw    “net.ipv4.tcp_max_tw_buckets”            “360000”
sysctlw    “net.core.hot_list_length”            “256”
sysctlw    “net.core.netdev_max_backlog”            “262144”
sysctlw    “net.core.somaxconn”                “262144”
sysctlw    “net.ipv4.tcp_reordering”            “3”
sysctlw    “net.ipv4.icmp_echo_ignore_broadcasts”        “1”
sysctlw    “net.ipv4.icmp_ignore_bogus_error_responses”    “1”
sysctlw    “net.ipv4.tcp_synack_retries”            “2”
sysctlw    “net.ipv4.tcp_syn_retries”            “3”
sysctlw    “net.ipv4.tcp_syncookies”            “1”
sysctlw    “net.ipv4.tcp_timestamps”            “0”
sysctlw    “net.ipv4.tcp_sack”                “1”
sysctlw    “net.ipv4.tcp_window_scaling”            “1”
sysctlw    “net.ipv4.tcp_keepalive_time”            “1200”
sysctlw    “net.ipv4.tcp_fin_timeout”            “15”
sysctlw    “net.ipv4.tcp_tw_recycle”            “1”
sysctlw    “net.ipv4.conf.default.log_martians”        “1”
sysctlw    “net.ipv4.conf.all.log_martians”        “0”
sysctlw    “net.ipv4.conf.default.accept_redirects”    “0”
sysctlw    “net.ipv4.conf.all.accept_redirects”        “0”
sysctlw    “net.ipv4.conf.default.accept_source_route”    “0”
sysctlw    “net.ipv4.conf.all.accept_source_route”        “0”
sysctlw    “net.ipv4.conf.all.rp_filter”            “1”
sysctlw    “net.ipv4.conf.default.rp_filter”        “1”
sysctlw    “net.ipv4.conf.default.accept_source_route”    “0”
sysctlw    “net.ipv4.conf.default.send_redirects”        “0”
sysctlw    “net.ipv4.conf.default.mc_forwarding”        “0”
sysctlw    “net.ipv4.conf.default.forwarding”            “0”
sysctlw    “net.ipv4.conf.all.bootp_relay”                “0”
sysctlw    “net.ipv4.conf.all.proxy_arp”                “0”

#arp
sysctlw    “net.ipv4.neigh.default.gc_thresh3”        “2048”
sysctlw    “net.ipv4.neigh.default.gc_thresh2”        “1024”
sysctlw    “net.ipv4.neigh.default.gc_thresh1”        “32”
sysctlw    “net.ipv4.neigh.default.gc_interval”        “30”

sysctlw    “net.ipv4.neigh.default.proxy_qlen”        “96”
sysctlw    “net.ipv4.neigh.default.unres_qlen”        “6”

#tcp options
sysctlw    “net.ipv4.tcp_dsack”                    “0”
sysctlw    “net.ipv4.tcp_fack”                    “0”
sysctlw    “net.ipv4.tcp_ecn”                    “0”
sysctlw    “net.ipv4.tcp_max_syn_backlog”        “2048”
sysctlw    “net.ipv4.tcp_retries2”                “15”
sysctlw    “net.ipv4.tcp_retries1”                “3”
sysctlw    “net.ipv4.tcp_rfc1337”                “1”
sysctlw    “net.ipv4.netfilter.ip_conntrack_max”    “1048576”
sysctlw    “net.nf_conntrack_max”                “1048576”
sysctlw    “sunrpc.tcp_slot_table_entries”        “32”
sysctlw    “sunrpc.udp_slot_table_entries”        “32”
sysctlw    “net.unix.max_dgram_qlen”            “50”
sysctlw    “net.core.netdev_max_backlog”        “1024”
sysctlw    “net.core.dev_weight”                “64”

echo “Optimizing filesystem…”

sysctlw    “fs.file-max”                “209708”
sysctlw    “kernel.ctrl-alt-del”            “0”

echo “Optimizing kernel…”

sysctlw    “kernel.printk”                “4 4 1 7”
sysctlw    “kernel.maps_protect”            “1”
sysctlw    “vm.mmap_min_addr”            “65536”
sysctlw    “vm.page-cluster”            “6”
sysctlw    “kernel.shmmax”                “67108864”

echo “Setting up host.conf…”

cp /etc/host.conf /etc/host.conf.bak

cat <<HOSTCONF >/etc/host.conf
order bind,hosts
multi on
nospoof on
HOSTCONF

/sbin/sysctl -p &>/dev/null &
/sbin/sysctl -w net.ipv4.route.flush=1

echo “Disabling unneeded services…”

for i in acpid anacron auditd autofs avahi-daemon bluetooth cpuspeed
cups gpm ip6tables irqbalance mcstrans netfs nfslock pcscd
portmap rpcgssd rpcidmapd setroubleshoot xfs; do
service $i stop &>/dev/null
chkconfig –level 3 $i off &>/dev/null
done
###############################################

Advertisements

May 2, 2011 Posted by | Security, Shell Script | , | 4 Comments