Building Professional Web Hosting Solution
<< Securing and Protecting Linux System Course
>> Linux Hardening Rules and IPtables Firewall Section
Applying System and Network Tuneup Rules is my favorite part. Tweaking and optimizing System and Network Kernel Rules to keep up with busy websites or VPS is very crucial. I will show you how to adjust most known areas that might create bottle necks if left as default values which is not suitable for a busy website or Web Hosting Solution. Besides, the rules will be applied using as script at the startup along the Kernel Hardening rules script.
Objectives:
1. Understanding Linux Kernel and IPtables Tuneup
2. Loading Required Kernel and IPtables Modules
3. Applying System and Network Tuneup Rules
4. Increasing Open File Descriptors Sessions Limit
5. Setting Single Shared and System Wide Page Memory
6. Testing and Verifying New Memory Settings
Prerequisites:
A. Basic Debian or Red Hat System Knowledge
B. Login to your DigitalOcean or Vultr Account
C. Preparing Linux Script Startup Environment
D. Applying Linux Kernel Hardening Rules
Recommendations:
For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.
Table of Contents
Understanding Linux Kernel and IPtables Tuneup
Don’t you like to get the best of your VPS horse power? Who doesn’t. Linux OS Kernel and IPtables Firewall core settings are set for a normal day-to-day simple Linux use. Meaning, If you want to run your simple Linux VPS as horse power Server, you will have to tell your system to transform from simple Linux to a Powerful Web Server Role ready for high traffic.
In order to turn Linux into Horse Power Server Machine, default settings of the Kernel or IPtables must be tuned to accept thousands of concurrent users trying to request Web pages from your Web Server. As of this writing, the default limits are too low for Web Server Role, especially for Web Applications such WordPress, Joomla, or Drupal CMS Platforms. You will be surprised, how few lines of Kernel Rules can turn Linux into Super machine!
In order to know what are you going to Tuneup, you have to understand that any Computer System got 4 main Bottle necks:
- CPU
- RAM
- Drive
- Network
The Kernel with the help of other Modules, handle all the Input/Output and Applications Requests that want access to either of those bottle necks. Meaning, in order to get the best of your VPS, you need decent CPU, RAM, Drive, and Network. The minimum requirements I recommend for VPS hardware are:
- 2 CPUs
- 4G RAM
- SSD Drive
- 1G Network
Lower than that, my Tuneup script will be useless.
Once your VPS is ready with with the minimum hardware requirements, I will show you how to tune and optimize the following Kernel and Network Rules:
- System Optimization Rules
- Network Optimization Rules
- DNS/ARP Optimization Rules
- IPtables Optimization Rules
As you probably guessed, each of the upper section carries set of Rules to tune up either the System, Network, DNS, and IPtables functions. 1) System Optimization Rules will take care of the CPU, RAM, and Disk requirements, 2) Network Optimization Rules will take care of IPv4 and IPv6 TCP/IP Stack, 3) DNS/ARP Optimization Rules are special Rules only for DNS and ARP services, and finally, 4) would be for IPtables Stateful Firewall which will be next to implement.
Loading Required Kernel and IPtables Modules
Since IPtables is part of the tuning process, I need to make sure IPtables Modules are loaded successfully before applying the Tuneup Script.
Run the following steps (1 to 7)
1. Create IPtables Workspace Folder
Note: If you already created the iptables directory, you can skip this step.
mkdir -p /etc/network/iptables
2. Create IPtables Modules Check Script
nano /etc/network/iptables/iptables-modules-check.sh
Click the following IPtables Modules Check Script, select all, copy, and paste its content inside the newly created script iptables-modules-check.sh window.
Save: Ctrl-X, Hit Y Key, and Enter
3. Make it Executable
chmod +x /etc/network/iptables/iptables-modules-check.sh
4. Allow Only Root Access to Scripts
chmod 700 -R /etc/network/iptables
5. Run the Script
/etc/network/iptables/iptables-modules-check.sh
If you are using KVM VPS, then all modules should load successfully, however, if you are using OpenVZ VPS, then you might find that some modules are not available as part of the Linux Kernel. In this case, some statefull firewall inspection might not work.
Loading Required IPtables Modules. Please wait... ---------------------------------------------------------------------------- ip_tables, 0 ip_conntrack, 0 ip_conntrack_ftp, 0 ip_conntrack_irc, 0 ipt_helper, 0 ipt_TCPMSS, 0 ipt_tcpmss, 0 ipt_LOG, 0 ipt_TOS, 0 ipt_tos, 0 ipt_length, 0 iptable_mangle, 0 ipt_ttl, 0 ipt_REJECT, 0 ipt_ttl, 0 ipt_owner, 0 ip_tables, 0 ipt_mark, 0 ipt_recent, 0 xt_connlimit, 0 ipt_hashlimit, 0 xt_hashlimit, 0 ---------------------------------------------------------------------------- Loading TCP Congestion Controllers tcp_htcp, 0 tcp_cubic, 0 ---------------------------------------------------------------------------- Done! If any of the Modules not found, please let your VPS provider know.
6. Add iptables-modules-check.sh to Startup
Note: I’ve noticed that some of those modules don’t function by just restoring IPtables saved rules, hence, I highly recommend loading IPtables Modules Check on the custom-scripts.sh startup file before IPtables Script.
nano /etc/init.d/custom-scripts.sh
It should look like this:
#!/bin/bash ### BEGIN INIT INFO # Provides: custom-scripts # Required-Start: $local_fs $network # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: custom-scripts # Description: Applying Customized Startup Scripts ### END INIT INFO echo echo "Applying Customized Startup Scripts..." echo ################################################# # Write down your script's path below # Kernel Hardening Rules /etc/network/iptables/kernel-hardening-rules.sh # Loading IPtables Firewall Modules /etc/network/iptables/iptables-modules-check.sh
Save: Ctrl-X, Hit Y Key, and Enter
Test and Verify
7. Run the Custom Scripts Startup
/etc/init.d/custom-scripts.sh
The custom-scripts.sh should kick start all scripts inside it.
8. Verify the following Modules are Loaded
Note: You will probably find different output since the following listing below taken from Debian Based, however, the difference won’t be that much as long as the command is listing something.
List Netfilter Modules
lsmod | grep -i nf_
You should see the following:
nf_conntrack_irc 12427 0 nf_conntrack_ftp 12605 0 nf_conntrack_ipv4 14078 0 nf_defrag_ipv4 12483 1 nf_conntrack_ipv4 nf_conntrack 52720 5 nf_conntrack_ipv4,nf_conntrack_ftp,nf_conntrack_irc,xt_helper,xt_connlimit
List Stateful Modules
lsmod | grep -i xt_
You should see the following:
xt_hashlimit 13172 0 xt_connlimit 12622 0 xt_recent 13188 0 xt_mark 12453 0 xt_owner 12423 0 xt_hl 12449 0 xt_length 12460 0 xt_dscp 12523 0 xt_DSCP 12643 0 xt_tcpmss 12425 0 xt_TCPMSS 12670 0 xt_helper 12507 0 nf_conntrack 52720 5 nf_conntrack_ipv4,nf_conntrack_ftp,nf_conntrack_irc,xt_helper,xt_connlimit x_tables 19118 16 ip_tables,xt_helper,xt_TCPMSS,xt_tcpmss,ipt_LOG,xt_DSCP,xt_dscp,xt_length,iptable_mangle,xt_hl,ipt_REJECT,xt_owner,xt_mark,xt_recent,xt_connlimit,xt_hashlimit
Check if IPtables Modules are Loaded
lsmod | grep -i ipt
You should see the following:
ipt_REJECT 12502 0 iptable_mangle 12536 0 ipt_LOG 12605 0 ip_tables 22042 1 iptable_mangle x_tables 19118 16 ip_tables,xt_helper,xt_TCPMSS,xt_tcpmss,ipt_LOG,xt_DSCP,xt_dscp,xt_length,iptable_mangle,xt_hl,ipt_REJECT,xt_owner,xt_mark,xt_recent,xt_connlimit,xt_hashlimit
Finally, list the Match Modules
cat /proc/net/ip_tables_matches
You should see the following:
connlimit connlimit mark owner helper hashlimit recent ttl length tos dscp tcpmss icmp
Applying System and Network Tuneup Rules
You will be amazed how the OS Kernel, TCP/IP Stack, and IPtables Modules work together to serve users requests.
Run the following steps (1 to 7)
1. Create IPtables Optimize and Tuneup File
nano /etc/network/iptables/system-and-network-tuneup.sh
Open the following File, copy and paste its content inside kernel-and-iptables-tuneups.sh file.
System and Network Tuneup Script
Note: if you are using Ubuntu16.04 or Fedora, please enable the following lines inside the script. Hit Ctrl-w keys and search for xt_recent module; remove the # sign to enable the rules.
# Enable only if you are using Ubuntu 16.04 Linux.
$MODPROBE -r xt_recent
$MODPROBE xt_recent ip_pkt_list_tot=255
$MODPROBE xt_recent ip_list_tot=5000
Save: Ctrl-X, Hit Y Key, and Enter
2. Make it Executable
chmod +x /etc/network/iptables/system-and-network-tuneup.sh
3. Allow Only Root Access to Scripts
chmod 700 -R /etc/network/iptables
4. Run the Script
Using DigitalOcean or Vultr VPS, all rules should be applied successfully, however, if you are using OpenVZ VPS, then you might find that some rules are not compatible using OpenVZ Kernel. You probably need to contact your OpenVZ VPS provider.
/etc/network/iptables/system-and-network-tuneup.sh
You should see something similar to the following output:
dsadjhs kernel.sysrq = 0 kernel.core_uses_pid = 1 kernel.pid_max = 4194303 fs.file-max = 100000 vm.swappiness = 10 ERROR: could not insert 'tcp_htcp': Invalid argument net.ipv4.tcp_congestion_control = cubic sysctl: setting key "net.ipv4.tcp_congestion_control": No such file or directory net.ipv4.tcp_window_scaling = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_dsack = 1 net.ipv4.tcp_timestamps = 1 net.ipv4.udp_rmem_min = 16384 net.ipv4.udp_wmem_min = 16384 net.core.rmem_default = 16777216 net.core.wmem_default = 16777216 net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.core.netdev_max_backlog = 50000 net.core.dev_weight = 64 net.ipv4.tcp_max_syn_backlog = 30000 net.ipv4.tcp_max_tw_buckets = 2000000 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_fin_timeout = 10 net.core.somaxconn = 32768 net.core.optmem_max = 65535 net.ipv4.tcp_keepalive_time = 60 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_orphan_retries = 0 net.ipv4.tcp_max_orphans = 16384 net.ipv4.ipfrag_high_thresh = 512000 net.ipv4.ipfrag_low_thresh = 446464 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_moderate_rcvbuf = 1 net.unix.max_dgram_qlen = 50 net.ipv4.neigh.default.proxy_qlen = 96 net.ipv4.neigh.default.unres_qlen = 6 net.ipv4.tcp_ecn = 1 net.ipv4.tcp_reordering = 3 net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_retries1 = 3 net.ipv4.tcp_slow_start_after_idle = 0 sysctl: cannot stat /proc/sys/net/ipv4/tcp_fastopen: No such file or directory sysctl: cannot stat /proc/sys/net/core/default_qdisc: No such file or directory net.ipv4.route.flush = 1 net.ipv6.route.flush = 1 net.ipv4.neigh.default.gc_thresh1 = 512 net.ipv4.neigh.default.gc_thresh2 = 1024 net.ipv4.neigh.default.gc_thresh3 = 2048 net.ipv4.neigh.default.gc_interval = 120 net.ipv4.neigh.default.gc_stale_time = 240 sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait: No such file or directory sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_max: No such file or directory net.netfilter.nf_conntrack_max = 190716 sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established: No such file or directory net.netfilter.nf_conntrack_tcp_timeout_established = 600
What if you seen some Errors?
As if of this writing, I was able to spot and solve the following errors across different type Debian, Ubuntu, and CentOS kernels:
- Linux 3.7 kernel and above needed to have the following features enabled.
- “tcp_fastopen“
- “default_qdisc enties“
- You might see error regarding the the following features. These errors are safe to ignore since they are only for Debian Linux.
- “ip_conntrack_tcp_timeout_time_wait“
- “ip_conntrack_max“
- “ip_conntrack_tcp_timeout_established“.
- You might see the following error regarding tcp_htcp congestion feature if older kernel than 3.3 is being used, otherwise “cubic” congestion feature will be used instead.
- “ERROR: could not insert ‘tcp_htcp‘: Invalid argument sysctl: setting key “net.ipv4.tcp_congestion_control“: No such file or directory”.
- You might see the following 2 errors which are related to restriction applied using Ubuntu16.04, however, before you saved the upper script I asked you to enable few lines if you are using Ubuntu16.04 which will take care of ip_pkt_list_tot only, but you will still see these errors. Ignore them since echo command doesn’t work with Ubuntu16.04 Kernel Modules.
- “/etc/network/iptables/system-and-network-tuneup.sh: line 289: /sys/module/xt_recent/parameters/ip_pkt_list_tot: Permission denied“
- “/etc/network/iptables/system-and-network-tuneup.sh: line 295: /sys/module/xt_recent/parameters/ip_list_tot: Permission denied“
5. Add System and Network Tuneup File to Startup
nano /etc/init.d/custom-scripts.sh
Add the script to the end of the file as shown below:
#!/bin/bash ### BEGIN INIT INFO # Provides: custom-scripts # Required-Start: $local_fs $network # Required-Stop: $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: custom-scripts # Description: Applying Customized Startup Scripts ### END INIT INFO echo echo "Applying Customized Startup Scripts..." echo ################################################# # Write down your script's path below # Kernel Hardening Rules /etc/network/iptables/kernel-hardening-rules.sh # Loading IPtables Firewall Modules /etc/network/iptables/iptables-modules-check.sh # System and Network Tuneups /etc/network/iptables/system-and-network-tuneup.sh
Save: Ctrl-X, Hit Y Key, and Enter
6. Reboot your VPS
reboot
Note: After rebooting, and since the scripts are starting with the system, you should be able to verify the new values which should have been retained even after a reboot.
7. Verify IPtables and Netfilter New Settings
Let’s verify some key areas.
a. Verify Connection Track Max Value
Debian7 for instance comes with 31786 as default connection track max value, however, you can multiply this number by 5,6, or more. Some systems such Linux Router requires One Million (1000000) value of nf_conntrack_max. I set mine as 31786 * 6 = 190716 as startup.
cat /proc/sys/net/nf_conntrack_max
The NEW value should be: 190716
And…
cat /proc/sys/net/netfilter/nf_conntrack_max
Same thing: 190716
You can watch Connection Track Live!
watch /sbin/sysctl net.netfilter.nf_conntrack_count
Ctrl-c to Exit.
b. Verify Hash Size Values
Keep in mind that Hash size value and Connection Track Max are tight to each other. Hash size was adjusted by running the above script, hence, the moment you set New Connection Track Max value, you have to adjust the Hash Size as well.
The script above already did it for you, it changed the default hash size from 7969 to 24576 in order to suite the New conntrack value which is 190716, and all this based on the following formula:
Hash Size = nf_conntrack_max / 8 = 24576
c. Confirm Hash New value
cat /sys/module/nf_conntrack/parameters/hashsize
Should be: 24576
i. Another location…
cat /sys/module/nf_conntrack_ipv4/parameters/hashsize
Same thing: 24576
ii. Besides, confirm IP Connection Bucket Size as well.
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets
Should be: 24576
Ubuntu or CentOS
cat /proc/sys/net/netfilter/nf_conntrack_buckets
Same thing: 24576
d. Verify Netfilter xt_recent Modules Values
One of xt_recent modules features is “hitcount limitation”, which used to statefully monitor the amount of connections that users can use per second, but using the default value won’t keep up with busy website. The Kernel and IPtables Tuneups and Optimization Script above already adjusted the Values for you. Let’s confirm the new values of ip_pkt_list_tot and ip_list_tot which are associated with hitcount functions.
The following command shows you more information about xt_recet Module that is overall responsible of hitcount functions and especially ip_pkt_list_tot parameters max value.
modinfo xt_recent
Or
modinfo xt_recent | grep -i "ip_pkt_list_tot:"
Below, you will find more information about the xt_recent Module. What I am interested to read is ip_pkt_list_tot packets max number (255) per IP address.
[...]
ip_pkt_list_tot:number of packets per IP address to remember (max. 255) (uint)
[...]
e. ip_pkt_list_tot New Value
Usually Linux VPS default value of ip_pkt_list_tot is 20 only, and that’s absolutely not enough when a website get busy. I set mine to 255 using the above script.
cat /sys/module/xt_recent/parameters/ip_pkt_list_tot
The NEW value should be: 255
f. ip_list_tot New Value
Usually Linux VPS default value of ip_list_tot is 100 only, and that is also not enough when a Web Hosting Solution get busy. I set mine to 5000 using the above script.
cat /sys/module/xt_recent/parameters/ip_list_tot
The NEW value should be: 5000
Note: Ubuntu16.04 will still show you 100, I still couldn’t figure out how to change permission of xt_recent module under Ubuntu16.04, if you figure it out, please let me know. However, I can remove the module and add it again for only one rule as I mentioned inside the script.
Increasing Open File Descriptors Sessions Limit
Besides fs.file-max kernel rule, I would increase the file descriptor sessions limit as well. fs.file-max sets the max limits, however, I still need to tell the system who is allowed to max the limits.
Run the following steps (1 to 4)
For either Debian or Red Hat Based Systems.
1. Edit Security Limits Config File
nano /etc/security/limits.conf
Add the following to end of the file as shown below:
# Allowing users to open 100000 files # * indicates that all users can max the sessions limits * soft nofile 100000 * hard nofile 100000 root soft nofile 100000 root hard nofile 100000 # End of file
Note: 100000 also was set using the upper script using fs.file-max=100000 Kernel rule.
2. Edit SSH Server Config File
I need to make sure SSH Server is using PAM:
nano /etc/ssh/sshd_config
Ctrl-w and search for UsePAM, make sure it’s enabled by removing hash sign and set at Yes value:
UsePAM yes
Save: Ctrl-X, Hit Y Key, and Enter
PAM should start using the New settings insides limits.conf file.
3. Edit PAM sshd File
nano /etc/pam.d/sshd
Hit Ctrl-w and search for pam_limits.so, make sure it’s enabled as well and save the file.
session required pam_limits.so
Save: Ctrl-X, Hit Y Key, and Enter
4. Verify
Exit and SSH again, type the following command to confirm changes:
cat /proc/sys/fs/file-max
And
ulimit -Sn ulimit -Hn
All, should show 100000 as limit:
100000
You don’t need to edit default Single and Shared and system wide page memory on newer Linux releases such Debian8, Ubuntu16.04, or CentOS7 which based on Systemd. You can skip the following steps and go to the next Lab if you are using Debian8, Ubuntu16.04, or CentOS7. But, I recommend you verify your VPS values in either case.
Note: Editing the System and Network Tuneup Script, you will find that I have dedicated some rules for Page Memory under “System Optimization Rules” section. The page memory rules are disabled by default using the hash sign since it’s not needed on newer Linux systems using systemd.
But, if you are using older releases prior to systemd base systems such Debian7, Ubuntu 12.04, Ubuntu14.04, and sometimes CentOS6, then you need to set these rules based on your VPS installed RAM. I recommend using a mathematical formula as shown below before enabling these rules.
The 2 Page Memory settings that I will be interested to edit are shmmax and shmall. The idea is to have these settings tuned good enough according to the RAM installed in your VPS, again, you don’t need all this with new Linux releases based on systemd, because they are set to high number regardless of RAM installed, in either case, it’s good to verify the Page Memory settings.
First, view current values of Single and Shared Memory Settings:
sysctl -a | grep -E "shmmax|shmall"
For examples, using Debian7 System at DigitalOcean, Vultr, or even VirtualBox, the defaults values for Single and Shared Memory are:
kernel.shmmax = 33554432 # 33MB kernel.shmall = 2097152 # 2MB
These settings are low, you need to adjust the Single and Shared Memory under Linux such Debian7, Ubuntu 12.04, and Ubuntu 14.04 if your VPS holds 4G RAM or more. Let’s check a systemd base system such Debian8 or CentOS7:
Note: I believe Ubuntu16.04 will hold by default larger numbers as well. Meaning, using Debian8, Ubuntu16.04, and CentOS7, you don’t need to modify shmall and shmmax anymore.
Debian8
kernel.shmall = 18446744073692774399 # 18PB kernel.shmmax = 18446744073692774399 # 18PB
CentOS6
kernel.shmmax = 68719476736 # 68GB kernel.shmall = 4294967296 # 4GB
CentOS7
kernel.shmall = 18446744073692774399 # 18PB kernel.shmmax = 18446744073692774399 # 18PB
As you can see, Debian8 and CentOS7 got crazy numbers set by default and no need any adjustment.
Follow the steps below to set new Single and Shared Memory values if you are using Linux system prior to Systemd base, start with shammax as follows:
Recommended settings for shammax:
Use half of Physical RAM Installed. So, if I have 4G VPS, then my shmmax would be 2147483648 = 2048MB.
Recommended settings for shmall:
shmall = (shmmax/pagesize)*(shmmni/16)
Let’s get the required values for the upper formula:
I know my shmmax which is: 2147483648
To get page size, I run the following command:
getconf PAGE_SIZE
Usually, the value should be: 4096
And shmmni is always = 4096
Let’s plug the numbers: shmall = (2147483648/4096 )*(4096 /16) = 134217728 = 134MB.
View Current Total Shared Memory
ipcs -lm
Original default values on Debian7 are:
------ Shared Memory Limits -------- max number of segments = 4096 >> Represent shimmni Value max seg size (kbytes) = 32768 >> Will be adjusted by shmmax Value max total shared memory (kbytes) = 8388608 >> Will be adjusted by shmall Value min seg size (bytes) = 1
So, if you use Debian7, Ubuntu12.04, Ubuntu14.04, or CentOS6, then enable the Memory rules under the System and Network Tuneup script based on the memory installed. For instance, if you have 4G VPS, enable the following rules:
# For 4G Memory VPS
$SYSCTL kernel.shmmax=2147483648 # 2048MB
# For 4G Memory VPS
$SYSCTL kernel.shmall=134217728 # 134MB
Save: Ctrl-X, Hit Y Key, and Enter
And reapply the script:
/etc/network/iptables/system-and-network-tuneup.sh
Remember, if you upgrade your VPS RAM, do the calculation again using the upper formula based on the new RAM, adjust the rules, and reapply the script.
Testing and Verifying New Memory Settings
Note: the following test was made on Debian7 4G VPS, so if you have less or greater than 4G, your test will look different. Again, this test is not needed on systemd base systems.
Run the following steps (1 to 3)
1. Verify Single Shared Memory Values
shmmax value: For Single Shared Memory
sysctl -a | grep -E "shmmax"
The NEW value should be: 2147483648 = 2048MB
Default value was: 33554432 # 33MB
2. Verify System Wide Page Memory Values
shmall value: For System Wide Page Memory.
sysctl -a | grep -E "shmall"
The NEW value should be: 134217728 # 134MB
Default value was: 2097152 # 2MB
3. Confirm Total Shared Memory New Values
Note: if you run ipcs command before applying the tuneup script, the showed TOTAL SHARED MEMORY, SINGLE SHARED MEMORY and SYSTEM PAGE WIDE MEMORY will look different. Keep in mind that it gets automatically adjusted once you Modify the Single Shared and System Wide Page Memory Values and reapply the script.
ipcs -lm
So, the NEW values at Debian7 for 4G VPS should be:
------ Shared Memory Limits -------- max number of segments = 4096 max seg size (kbytes) = 524288 max total shared memory (kbytes) = 134217728 min seg size (bytes) = 1
And the Original default values on Debian7 for 4G VPS were:
------ Shared Memory Limits -------- max number of segments = 4096 >> Represent shimmni Value max seg size (kbytes) = 32768 >> It was adjusted by shmmax Value max total shared memory (kbytes) = 8388608 >> It was adjusted by shmall Value min seg size (bytes) = 1
Subject Related
By Linux Performance and Tuning | Linux Web kernel Tuning | Red Hat Performance Guide | Linux TCP Tuning | Linux Network Tuning
Building Professional Web Hosting Solution
<< Securing and Protecting Linux System Course
>> Linux Hardening Rules and IPtables Firewall Section
LEAVE A COMMENT