CCNA HUB

CCNA and Linux Training Hub!

CCNA and Linux Training Hub!

  • Home
  • R&S
    • IP Fundamentals
    • Switching
    • Routing
    • IPv4 Suite
    • IPv6 Suite
    • Labs
  • Linux
    • Virtualization 101
    • Basic Configuration
    • Security Measures
    • Database Server
    • Web Server
    • HTTP Tuneup
    • FTP Server
    • Mail Server
    • DNS Server
    • Control Panels
    • Monitoring
    • Backup and Maintenance
  • WordPress
  • About
    • Contact Us
    • Be part of It
    • Under the Hood
CCNA HUB > Blog > Linux > Linux Hardening Rules and IPtables Firewall > Applying System and Network Tuneup Rules

Applying System and Network Tuneup Rules

By Imad Daou Leave a Comment

Post Views: 5,014

Building Professional Web Hosting Solution
<< Securing and Protecting Linux System Course
>> Linux Hardening Rules and IPtables Firewall Section

section table
  1. Preparing Linux Script Startup Environment
  2. Applying Linux Kernel Hardening Rules
  3. Applying System and Network Tuneup Rules
  4. Implementing Stateful Firewall Using IPtables
  5. Redirecting IPtables Firewall Logging Location
  6. Testing IPtables using Nmap Scanning Tool
  7. Logging and Trapping Port Scanning Tools
Image Source
Image Source

Applying System and Network Tuneup Rules is my favorite part. Tweaking and optimizing System and Network Kernel Rules to keep up with busy websites or VPS is very crucial. I will show you how to adjust most known areas that might create bottle necks if left as default values which is not suitable for a busy website or Web Hosting Solution. Besides, the rules will be applied using as script at the startup along the Kernel Hardening rules script.

Objectives:

1. Understanding Linux Kernel and IPtables Tuneup

2. Loading Required Kernel and IPtables Modules

3. Applying System and Network Tuneup Rules

4. Increasing Open File Descriptors Sessions Limit

5. Setting Single Shared and System Wide Page Memory

6. Testing and Verifying New Memory Settings

Prerequisites:

A. Basic Debian or Red Hat System Knowledge

B. Login to your DigitalOcean or Vultr Account

C. Preparing Linux Script Startup Environment

D. Applying Linux Kernel Hardening Rules

Recommendations:

For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

Table of Contents

  • Understanding Linux Kernel and IPtables Tuneup
  • Loading Required Kernel and IPtables Modules
  • Applying System and Network Tuneup Rules
  • Increasing Open File Descriptors Sessions Limit
  • Setting Single Shared and System Wide Page Memory
  • Testing and Verifying New Memory Settings

Understanding Linux Kernel and IPtables Tuneup

Don’t you like to get the best of your VPS horse power? Who doesn’t. Linux OS Kernel and IPtables Firewall core settings are set for a normal day-to-day simple Linux use. Meaning, If you want to run your simple Linux VPS as horse power Server, you will have to tell your system to transform from simple Linux to a Powerful Web Server Role ready for high traffic.

In order to turn Linux into Horse Power Server Machine, default settings of the Kernel or IPtables must be tuned to accept thousands of concurrent users trying to request Web pages from your Web Server. As of this writing, the default limits are too low for Web Server Role, especially for Web Applications such WordPress, Joomla, or Drupal CMS Platforms. You will be surprised, how few lines of Kernel Rules can turn Linux into Super machine!

In order to know what are you going to Tuneup, you have to understand that any Computer System got 4 main Bottle necks:

  • CPU
  • RAM
  • Drive
  • Network

The Kernel with the help of other Modules, handle all the Input/Output and Applications Requests that want access to either of those bottle necks. Meaning, in order to get the best of your VPS, you need decent CPU, RAM, Drive, and Network. The minimum requirements I recommend for VPS hardware are:

  • 2 CPUs
  • 4G RAM
  • SSD Drive
  • 1G Network

Lower than that, my Tuneup script will be useless.

Once your VPS is ready with with the minimum hardware requirements, I will show you how to tune and optimize the following Kernel and Network Rules:

  • System Optimization Rules
  • Network Optimization Rules
  • DNS/ARP Optimization Rules
  • IPtables Optimization Rules

As you probably guessed, each of the upper section carries set of Rules to tune up either the System, Network, DNS, and IPtables functions. 1) System Optimization Rules will take care of the CPU, RAM, and Disk requirements, 2) Network Optimization Rules will take care of IPv4 and IPv6 TCP/IP Stack, 3) DNS/ARP Optimization Rules are special Rules only for DNS and ARP services, and finally, 4) would be for IPtables Stateful Firewall which will be next to implement.

Loading Required Kernel and IPtables Modules

Since IPtables is part of the tuning process, I need to make sure IPtables Modules are loaded successfully before applying the Tuneup Script.

Run the following steps (1 to 7)

1. Create IPtables Workspace Folder

Note: If you already created the iptables directory, you can skip this step.

mkdir -p /etc/network/iptables

2. Create IPtables Modules Check Script

nano /etc/network/iptables/iptables-modules-check.sh

Click the following IPtables Modules Check Script, select all, copy, and paste its content inside the newly created script iptables-modules-check.sh window.

IPtables Modules Check Script

Save: Ctrl-X, Hit Y Key, and Enter

3. Make it Executable

chmod +x /etc/network/iptables/iptables-modules-check.sh

4. Allow Only Root Access to Scripts

chmod 700 -R /etc/network/iptables

5. Run the Script

/etc/network/iptables/iptables-modules-check.sh

If you are using KVM VPS, then all modules should load successfully, however, if you are using OpenVZ VPS, then you might find that some modules are not available as part of the Linux Kernel. In this case, some statefull firewall inspection might not work.

  Loading Required IPtables Modules. Please wait...

----------------------------------------------------------------------------
ip_tables, 0
ip_conntrack, 0
ip_conntrack_ftp, 0
ip_conntrack_irc, 0
ipt_helper, 0
ipt_TCPMSS, 0
ipt_tcpmss, 0
ipt_LOG, 0
ipt_TOS, 0
ipt_tos, 0
ipt_length, 0
iptable_mangle, 0
ipt_ttl, 0
ipt_REJECT, 0
ipt_ttl, 0
ipt_owner, 0
ip_tables, 0
ipt_mark, 0
ipt_recent, 0
xt_connlimit, 0
ipt_hashlimit, 0
xt_hashlimit, 0
----------------------------------------------------------------------------
   Loading TCP Congestion Controllers

tcp_htcp, 0
tcp_cubic, 0
----------------------------------------------------------------------------
Done! If any of the Modules not found, please let your VPS provider know.

6. Add iptables-modules-check.sh to Startup

Note: I’ve noticed that some of those modules don’t function by just restoring IPtables saved rules, hence, I highly recommend loading IPtables Modules Check on the custom-scripts.sh startup file before IPtables Script.

nano /etc/init.d/custom-scripts.sh

It should look like this:

#!/bin/bash
### BEGIN INIT INFO
# Provides:          custom-scripts
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: custom-scripts
# Description:       Applying Customized Startup Scripts
### END INIT INFO
echo
echo "Applying Customized Startup Scripts..."
echo
#################################################
# Write down your script's path below
# Kernel Hardening Rules
/etc/network/iptables/kernel-hardening-rules.sh
# Loading IPtables Firewall Modules 
/etc/network/iptables/iptables-modules-check.sh

Save: Ctrl-X, Hit Y Key, and Enter

Test and Verify

7. Run the Custom Scripts Startup

/etc/init.d/custom-scripts.sh

The custom-scripts.sh should kick start all scripts inside it.

8. Verify the following Modules are Loaded

Note: You will probably find different output since the following listing below taken from Debian Based, however, the difference won’t be that much as long as the command is listing something.

List Netfilter Modules

lsmod | grep -i nf_

You should see the following:

nf_conntrack_irc       12427  0
nf_conntrack_ftp       12605  0
nf_conntrack_ipv4      14078  0
nf_defrag_ipv4         12483  1 nf_conntrack_ipv4
nf_conntrack           52720  5 nf_conntrack_ipv4,nf_conntrack_ftp,nf_conntrack_irc,xt_helper,xt_connlimit

List Stateful Modules

lsmod | grep -i xt_

You should see the following:

xt_hashlimit           13172  0
xt_connlimit           12622  0
xt_recent              13188  0
xt_mark                12453  0
xt_owner               12423  0
xt_hl                  12449  0
xt_length              12460  0
xt_dscp                12523  0
xt_DSCP                12643  0
xt_tcpmss              12425  0
xt_TCPMSS              12670  0
xt_helper              12507  0
nf_conntrack           52720  5 nf_conntrack_ipv4,nf_conntrack_ftp,nf_conntrack_irc,xt_helper,xt_connlimit
x_tables               19118  16 ip_tables,xt_helper,xt_TCPMSS,xt_tcpmss,ipt_LOG,xt_DSCP,xt_dscp,xt_length,iptable_mangle,xt_hl,ipt_REJECT,xt_owner,xt_mark,xt_recent,xt_connlimit,xt_hashlimit

Check if IPtables Modules are Loaded

lsmod | grep -i ipt

You should see the following:

ipt_REJECT             12502  0
iptable_mangle         12536  0
ipt_LOG                12605  0
ip_tables              22042  1 iptable_mangle
x_tables               19118  16 ip_tables,xt_helper,xt_TCPMSS,xt_tcpmss,ipt_LOG,xt_DSCP,xt_dscp,xt_length,iptable_mangle,xt_hl,ipt_REJECT,xt_owner,xt_mark,xt_recent,xt_connlimit,xt_hashlimit

Finally, list the Match Modules

cat /proc/net/ip_tables_matches

You should see the following:

connlimit
connlimit
mark
owner
helper
hashlimit
recent
ttl
length
tos
dscp
tcpmss
icmp

Applying System and Network Tuneup Rules

You will be amazed how the OS Kernel, TCP/IP Stack, and IPtables Modules work together to serve users requests.

Run the following steps (1 to 7)

1. Create IPtables Optimize and Tuneup File

nano /etc/network/iptables/system-and-network-tuneup.sh

Open the following File, copy and paste its content inside kernel-and-iptables-tuneups.sh file.

System and Network Tuneup Script

Note: if you are using Ubuntu16.04 or Fedora, please enable the following lines inside the script. Hit Ctrl-w keys and search for xt_recent module; remove the # sign to enable the rules.

# Enable only if you are using Ubuntu 16.04 Linux.
$MODPROBE -r xt_recent
$MODPROBE xt_recent ip_pkt_list_tot=255
$MODPROBE xt_recent ip_list_tot=5000

Save: Ctrl-X, Hit Y Key, and Enter

2. Make it Executable

chmod +x /etc/network/iptables/system-and-network-tuneup.sh

3. Allow Only Root Access to Scripts

chmod 700 -R /etc/network/iptables

4. Run the Script

Using DigitalOcean or Vultr VPS, all rules should be applied successfully, however, if you are using OpenVZ VPS, then you might find that some rules are not compatible using OpenVZ Kernel. You probably need to contact your OpenVZ VPS provider.

/etc/network/iptables/system-and-network-tuneup.sh

You should see something similar to the following output:

dsadjhs
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.pid_max = 4194303
fs.file-max = 100000
vm.swappiness = 10
ERROR: could not insert 'tcp_htcp': Invalid argument
net.ipv4.tcp_congestion_control = cubic
sysctl: setting key "net.ipv4.tcp_congestion_control": No such file or directory
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.udp_rmem_min = 16384
net.ipv4.udp_wmem_min = 16384
net.core.rmem_default = 16777216
net.core.wmem_default = 16777216
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 50000
net.core.dev_weight = 64
net.ipv4.tcp_max_syn_backlog = 30000
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_fin_timeout = 10
net.core.somaxconn = 32768
net.core.optmem_max = 65535
net.ipv4.tcp_keepalive_time = 60
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_orphan_retries = 0
net.ipv4.tcp_max_orphans = 16384
net.ipv4.ipfrag_high_thresh = 512000
net.ipv4.ipfrag_low_thresh = 446464
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.unix.max_dgram_qlen = 50
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
net.ipv4.tcp_slow_start_after_idle = 0
sysctl: cannot stat /proc/sys/net/ipv4/tcp_fastopen: No such file or directory
sysctl: cannot stat /proc/sys/net/core/default_qdisc: No such file or directory
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1
net.ipv4.neigh.default.gc_thresh1 = 512
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh3 = 2048
net.ipv4.neigh.default.gc_interval = 120
net.ipv4.neigh.default.gc_stale_time = 240
sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait: No such file or directory
sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_max: No such file or directory
net.netfilter.nf_conntrack_max = 190716
sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established: No such file or directory
net.netfilter.nf_conntrack_tcp_timeout_established = 600

What if you seen some Errors?

As if of this writing, I was able to spot and solve the following errors across different type Debian, Ubuntu, and CentOS kernels:

  • Linux 3.7 kernel and above needed to have the following features enabled.
    • “tcp_fastopen“
    • “default_qdisc enties“
  • You might see error regarding the the following features. These errors are safe to ignore since they are only for Debian Linux.
    • “ip_conntrack_tcp_timeout_time_wait“
    • “ip_conntrack_max“
    • “ip_conntrack_tcp_timeout_established“.
  • You might see the following error regarding tcp_htcp congestion feature if older kernel than 3.3 is being used, otherwise “cubic” congestion feature will be used instead.
    • “ERROR: could not insert ‘tcp_htcp‘: Invalid argument sysctl: setting key “net.ipv4.tcp_congestion_control“: No such file or directory”.
  • You might see the following 2 errors which are related to restriction applied using Ubuntu16.04, however, before you saved the upper script I asked you to enable few lines if you are using Ubuntu16.04 which will take care of ip_pkt_list_tot only, but you will still see these errors. Ignore them since echo command doesn’t work with Ubuntu16.04 Kernel Modules.
    • “/etc/network/iptables/system-and-network-tuneup.sh: line 289: /sys/module/xt_recent/parameters/ip_pkt_list_tot: Permission denied“
    • “/etc/network/iptables/system-and-network-tuneup.sh: line 295: /sys/module/xt_recent/parameters/ip_list_tot: Permission denied“

5. Add System and Network Tuneup File to Startup

nano /etc/init.d/custom-scripts.sh

Add the script to the end of the file as shown below:

#!/bin/bash
### BEGIN INIT INFO
# Provides:          custom-scripts
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: custom-scripts
# Description:       Applying Customized Startup Scripts
### END INIT INFO
echo
echo "Applying Customized Startup Scripts..."
echo
#################################################
# Write down your script's path below
# Kernel Hardening Rules
/etc/network/iptables/kernel-hardening-rules.sh
# Loading IPtables Firewall Modules 
/etc/network/iptables/iptables-modules-check.sh
# System and Network Tuneups 
/etc/network/iptables/system-and-network-tuneup.sh

Save: Ctrl-X, Hit Y Key, and Enter

6. Reboot your VPS

reboot

Note: After rebooting, and since the scripts are starting with the system, you should be able to verify the new values which should have been retained even after a reboot.

7. Verify IPtables and Netfilter New Settings

Let’s verify some key areas.

a. Verify Connection Track Max Value

Debian7 for instance comes with 31786 as default connection track max value, however, you can multiply this number by 5,6, or more. Some systems such Linux Router requires One Million (1000000) value of nf_conntrack_max. I set mine as 31786 * 6 = 190716 as startup.

cat /proc/sys/net/nf_conntrack_max

The NEW value should be: 190716

And…

cat /proc/sys/net/netfilter/nf_conntrack_max

Same thing: 190716

You can watch Connection Track Live!

watch /sbin/sysctl net.netfilter.nf_conntrack_count

Ctrl-c to Exit.

b. Verify Hash Size Values

Keep in mind that Hash size value and Connection Track Max are tight to each other. Hash size was adjusted by running the above script, hence, the moment you set New Connection Track Max value, you have to adjust the Hash Size as well.

The script above already did it for you, it changed the default hash size from 7969 to 24576 in order to suite the New conntrack value which is 190716, and all this based on the following formula:

Hash Size = nf_conntrack_max / 8 = 24576

c. Confirm Hash New value

cat /sys/module/nf_conntrack/parameters/hashsize

Should be:  24576

i. Another location…

cat /sys/module/nf_conntrack_ipv4/parameters/hashsize

Same thing: 24576

ii. Besides, confirm IP Connection Bucket Size as well.

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets

Should be: 24576

Ubuntu or CentOS

cat /proc/sys/net/netfilter/nf_conntrack_buckets

Same thing: 24576

d. Verify Netfilter xt_recent Modules Values

One of xt_recent modules features is “hitcount limitation”, which used to statefully monitor the amount of connections that users can use per second, but using the default value won’t keep up with busy website. The Kernel and IPtables Tuneups and Optimization Script above already adjusted the Values for you. Let’s confirm the new values of ip_pkt_list_tot and ip_list_tot which are associated with hitcount functions.

The following command shows you more information about xt_recet Module that is overall responsible of hitcount functions and especially ip_pkt_list_tot parameters max value.

modinfo xt_recent

Or

modinfo xt_recent | grep -i "ip_pkt_list_tot:"

Below, you will find more information about the xt_recent Module. What I am interested to read is ip_pkt_list_tot packets max number (255) per IP address.

[...]
ip_pkt_list_tot:number of packets per IP address to remember (max. 255) (uint)
[...]

e. ip_pkt_list_tot New Value

Usually Linux VPS default value of ip_pkt_list_tot is 20 only, and that’s absolutely not enough when a website get busy. I set mine to 255 using the above script.

cat /sys/module/xt_recent/parameters/ip_pkt_list_tot

The NEW value should be: 255

f. ip_list_tot New Value

Usually Linux VPS default value of ip_list_tot is 100 only, and that is also not enough when a Web Hosting Solution get busy. I set mine to 5000 using the above script.

cat /sys/module/xt_recent/parameters/ip_list_tot

The NEW value should be: 5000

Note: Ubuntu16.04 will still show you 100, I still couldn’t figure out how to change permission of xt_recent module under Ubuntu16.04, if you figure it out, please let me know. However, I can remove the module and add it again for only one rule as I mentioned inside the script.

Increasing Open File Descriptors Sessions Limit

Besides fs.file-max kernel rule, I would increase the file descriptor sessions limit as well. fs.file-max sets the max limits, however, I still need to tell the system who is allowed to max the limits.

Run the following steps (1 to 4)

For either Debian or Red Hat Based Systems.

1. Edit Security Limits Config File

nano /etc/security/limits.conf

Add the following to end of the file as shown below:

# Allowing users to open 100000 files
# * indicates that all users can max the sessions limits
* soft nofile 100000
* hard nofile 100000
root soft nofile 100000
root hard nofile 100000
# End of file

Note: 100000 also was set using the upper script using fs.file-max=100000 Kernel rule.

2. Edit SSH Server Config File

I need to make sure SSH Server is using PAM:

nano /etc/ssh/sshd_config

Ctrl-w and search for UsePAM, make sure it’s enabled by removing hash sign and set at Yes value:

UsePAM yes

Save: Ctrl-X, Hit Y Key, and Enter

PAM should start using the New settings insides limits.conf file.

3. Edit PAM sshd File

nano /etc/pam.d/sshd

Hit Ctrl-w and search for pam_limits.so, make sure it’s enabled as well and save the file.

session required pam_limits.so

Save: Ctrl-X, Hit Y Key, and Enter

4. Verify

Exit and SSH again, type the following command to confirm changes:

cat /proc/sys/fs/file-max

And

ulimit -Sn
ulimit -Hn

All, should show 100000 as limit:

100000

Setting Single Shared and System Wide Page Memory

You don’t need to edit default Single and Shared and system wide page memory on newer Linux releases such Debian8, Ubuntu16.04, or CentOS7 which based on Systemd. You can skip the following steps and go to the next Lab if you are using Debian8, Ubuntu16.04, or CentOS7. But, I recommend you verify your VPS values in either case.

Note: Editing the System and Network Tuneup Script, you will find that I have dedicated some rules for Page Memory under “System Optimization Rules” section. The page memory rules are disabled by default using the hash sign since it’s not needed on newer Linux systems using systemd.

But, if you are using older releases prior to systemd base systems such Debian7, Ubuntu 12.04, Ubuntu14.04, and sometimes CentOS6, then you need to set these rules based on your VPS installed RAM. I recommend using a mathematical formula as shown below before enabling these rules.

The 2 Page Memory settings that I will be interested to edit are shmmax and shmall. The idea is to have these settings tuned good enough according to the RAM installed in your VPS, again, you don’t need all this with new Linux releases based on systemd, because they are set to high number regardless of RAM installed, in either case, it’s good to verify the Page Memory settings.

First, view current values of Single and Shared Memory Settings:

sysctl -a | grep -E "shmmax|shmall"

For examples, using Debian7 System at DigitalOcean, Vultr, or even VirtualBox, the defaults values for Single and Shared Memory are:

kernel.shmmax = 33554432 # 33MB
kernel.shmall = 2097152 # 2MB

These settings are low, you need to adjust the Single and Shared Memory under Linux such Debian7, Ubuntu 12.04, and Ubuntu 14.04 if your VPS holds 4G RAM or more. Let’s check a systemd base system such Debian8 or CentOS7:

Note: I believe Ubuntu16.04 will hold by default larger numbers as well. Meaning, using Debian8, Ubuntu16.04, and CentOS7, you don’t need to modify shmall and shmmax anymore.

Debian8

kernel.shmall = 18446744073692774399 # 18PB
kernel.shmmax = 18446744073692774399 # 18PB

CentOS6

kernel.shmmax = 68719476736 # 68GB
kernel.shmall = 4294967296 # 4GB

CentOS7

kernel.shmall = 18446744073692774399 # 18PB
kernel.shmmax = 18446744073692774399 # 18PB

As you can see, Debian8 and CentOS7 got crazy numbers set by default and no need any adjustment.

Follow the steps below to set new Single and Shared Memory values if you are using Linux system prior to Systemd base, start with shammax as follows:

Recommended settings for shammax:

Use half of Physical RAM Installed. So, if I have 4G VPS, then my shmmax would be 2147483648  = 2048MB.

Recommended settings for shmall:

shmall = (shmmax/pagesize)*(shmmni/16)

Let’s get the required values for the upper formula:

I know my shmmax which is: 2147483648

To get page size, I run the following command:

getconf PAGE_SIZE

Usually, the value should be: 4096

And shmmni is always = 4096

Let’s plug the numbers:  shmall = (2147483648/4096 )*(4096 /16) = 134217728 = 134MB.

View Current Total Shared Memory

ipcs -lm

Original default values on Debian7 are:

------ Shared Memory Limits --------
max number of segments = 4096              >> Represent shimmni Value
max seg size (kbytes) = 32768              >> Will be adjusted by shmmax Value
max total shared memory (kbytes) = 8388608 >> Will be adjusted by shmall Value 
min seg size (bytes) = 1

So, if you use Debian7, Ubuntu12.04, Ubuntu14.04, or CentOS6, then enable the Memory rules under the System and Network Tuneup script based on the memory installed. For instance, if you have 4G VPS, enable the following rules:

# For 4G Memory VPS
$SYSCTL kernel.shmmax=2147483648 # 2048MB
# For 4G Memory VPS
$SYSCTL kernel.shmall=134217728 # 134MB

Save: Ctrl-X, Hit Y Key, and Enter

And reapply the script:

/etc/network/iptables/system-and-network-tuneup.sh

Remember, if you upgrade your VPS RAM, do the calculation again using the upper formula based on the new RAM, adjust the rules, and reapply the script.

Testing and Verifying New Memory Settings

Note: the following test was made on Debian7 4G VPS, so if you have less or greater than 4G, your test will look different. Again, this test is not needed on systemd base systems.

Run the following steps (1 to 3)

1. Verify Single Shared Memory Values

shmmax value: For Single Shared Memory

sysctl -a | grep -E "shmmax"

The NEW value should be: 2147483648  = 2048MB

Default value was: 33554432 # 33MB

2. Verify System Wide Page Memory Values

shmall value: For System Wide Page Memory.

sysctl -a | grep -E "shmall"

The NEW value should be: 134217728 # 134MB

Default value was: 2097152 # 2MB

3. Confirm Total Shared Memory New Values

Note: if you run ipcs command before applying the tuneup script, the showed TOTAL SHARED MEMORY, SINGLE SHARED MEMORY and SYSTEM PAGE WIDE MEMORY will look different. Keep in mind that it gets automatically adjusted once you Modify the Single Shared and System Wide Page Memory Values and reapply the script.

ipcs -lm

So, the NEW values at Debian7 for 4G VPS should be:

------ Shared Memory Limits --------
max number of segments = 4096                
max seg size (kbytes) = 524288               
max total shared memory (kbytes) = 134217728 
min seg size (bytes) = 1

And the Original default values on Debian7 for 4G VPS were:

------ Shared Memory Limits --------
max number of segments = 4096              >> Represent shimmni Value
max seg size (kbytes) = 32768              >> It was adjusted by shmmax Value
max total shared memory (kbytes) = 8388608 >> It was adjusted by shmall Value 
min seg size (bytes) = 1

Subject Related

By Linux Performance and Tuning | Linux Web kernel Tuning | Red Hat Performance Guide | Linux TCP Tuning | Linux Network Tuning

Building Professional Web Hosting Solution
<< Securing and Protecting Linux System Course
>> Linux Hardening Rules and IPtables Firewall Section

section table
  1. Preparing Linux Script Startup Environment
  2. Applying Linux Kernel Hardening Rules
  3. Applying System and Network Tuneup Rules
  4. Implementing Stateful Firewall Using IPtables
  5. Redirecting IPtables Firewall Logging Location
  6. Testing IPtables using Nmap Scanning Tool
  7. Logging and Trapping Port Scanning Tools
  • Was this information helpful?
  • Yes(0)   No(0)
Get Linux Updates!

tux_toilet

Filed Under: Linux, Linux Hardening Rules and IPtables Firewall Tagged With: Linux Optimization, Kernel Rules

About Imad Daou

CCNA HUB Founder, Imad has been in IT field since 2007. Currently holding A+, Network+, Server+, Security+, and Storage+. HP, Dell, and IBM Hardware Certified. Pursuing Linux+, LPIC-2, RHCSA, RHCE, AWS, CCNA, and JNCIA.

LEAVE A COMMENT Cancel reply

We're glad you have chosen to leave a comment. All comments are moderated according to our comment policy. Use your real name and not keywords in the name field. Let's have a personal and meaningful conversation.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Categories

Get CCNA HUB Updates!

MISSION

CCNA, Linux, and Wordpress Training Hub. For Students, Network Pros, DevOps, Linux/Wordpress Lovers, and Entrepreneurs. CCNA HUB Articles and Labs will help you build a solid foundation in Network, Linux, and Wordpress. E.g. Linux WHS will show you how to build a Professional Web Hosting Solution using DigitalOcean or Vultr VPS provider.

TAG CLOUD

subnet mask virtual circuit Wordpress Hosting Hub SSH Agent Forwarding VLSM transport layer understanding Routing wide area network switches wordpress CMS understanding switching VPS Hosting T1 Wordpress Multisite transmission control protocol udp sockets WAN sudo TCP su tcp sockets transport layer protocols SSH Client TCP/IP wordpress.org CMS

RSS UPDATES

  • IP Fundamentals
  • CCNA R&S
  • CCNA Labs
  • Linux WHS
  • Wordpress
  • All CCNA HUB Topics

Copyright © 2022 ·Genesis Sample Theme - Genesis Framework by StudioPress - WordPress - Log in

This website uses cookies. By continuing to browse the site, you are agreeing to our use of cookies
  • Home
  • R&S
    • IP Fundamentals
    • Switching
    • Routing
    • IPv4 Suite
    • IPv6 Suite
    • Labs
  • Linux
    • Virtualization 101
    • Basic Configuration
    • Security Measures
    • Database Server
    • Web Server
    • HTTP Tuneup
    • FTP Server
    • Mail Server
    • DNS Server
    • Control Panels
    • Monitoring
    • Backup and Maintenance
  • WordPress
  • About
    • Contact Us
    • Be part of It
    • Under the Hood