#!/bin/bash # System and Network Kernel Tuneup Rules by CCNA HUB - Imad Daou # For more information: https://www.ccnahub.com/linux-courses/ # The following Kernel Optimization Rules recommended for Single Web Hosting VPS. ### Optimization Note ### # The following Kernel Optimization Rules intended for dedicated VPS with at least 2 CPUs, 4G Memory, and 1G Network. ### Rules ON/OFF Switch Values ### # 0 (zero) -> Rule Disabled / OFF # 1 (one) -> Rule Enabled / ON # X (number)-> Rule Value ### System Control Command ### SYSCTL="/sbin/sysctl" MODPROBE="/sbin/modprobe" #----------------------------------------------------------------------- ## ## System Optimization Rules ## # Controls the System Request debugging functionality of the kernel. $SYSCTL kernel.sysrq=0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. $SYSCTL kernel.core_uses_pid=1 # Allow for more PIDs. Maximum of 32768 for 32 bit systems or 4194304 for 64 bit. $SYSCTL kernel.pid_max=4194303 # Number of maximum Opened files # Apache or Nginx web servers might require high number. 100000 should be fine. $SYSCTL fs.file-max=100000 # Reduce Linux swapping idle processes to disk (default = 60) # Usually, VPS machines got no Swap partitions, however, good to have it. # For MySQL dedicated server Servers like Galera Clusters, use 1 instead of 10. $SYSCTL vm.swappiness=10 # # Increasing Single Shared Memory Segments # # Note: No need to modify Single shared memory settings for Linux Systems based on systemd. # However, if you are using Debian7, Ubuntu12 and 14, CentOS6, then you might need to enable # following rules accordingly. # For 1G Memory VPS #$SYSCTL kernel.shmmax=536870912 # 512 MB # For 2G Memory VPS #$SYSCTL kernel.shmmax=1073741824 # 1024 MB # For 4G Memory VPS #$SYSCTL kernel.shmmax=2147483648 # 2048 MB # For 8G Memory VPS #$SYSCTL kernel.shmmax=4294967296 # 4096 MB # # Increasing Shared Memory System Wide Pages # # Note: If you enabled Single shared Memory, then you need to enable System page wide too accordingly. # For 1G Memory VPS #$SYSCTL kernel.shmall=33554432 # 33 MB # For 2G Memory VPS #$SYSCTL kernel.shmall=67108864 # 67 MB # For 4G Memory VPS #$SYSCTL kernel.shmall=134217728 # 134 MB # For 8G Memory VPS #$SYSCTL kernel.shmall=268435456 # 268 MB #----------------------------------------------------------------------- ## ## Network Optimization Rules ## # For high-bandwidth low-latency networks, use htcp or cubic congestion control. # For long fast paths, cubic or htcp is recommended. # Cubic is the default for a number of Linux distributions. # To get a list of congestion control algorithms that are available in your kernel run: # sysctl net.ipv4.tcp_available_congestion_control # If htcp or cubic not listed, the following 2 commands will load the modules. # Load required Modules: $MODPROBE tcp_htcp $MODPROBE tcp_cubic $SYSCTL net.ipv4.tcp_congestion_control=cubic $SYSCTL net.ipv4.tcp_congestion_control=htcp # Enable tcp_window_scaling Window. $SYSCTL net.ipv4.tcp_window_scaling=1 # Turn ON or Off selective ACK and timestamps # Some guys disable the following 2 rules especially If you are applying them on Developer VPS. # Keeping it ON, will help Dial up users or slow Internet connection to browse your Production VPS. $SYSCTL net.ipv4.tcp_sack=1 $SYSCTL net.ipv4.tcp_dsack=1 $SYSCTL net.ipv4.tcp_timestamps=1 # Increase Linux autotuning read and write TCP buffer limits. # For 1G Network=16MB (16777216) # For 10G Network=32M (33554432) or 54M (56623104) # Don't set tcp_mem itself! Let the kernel scale it based on RAM. echo 4096 87380 16777216 > /proc/sys/net/ipv4/tcp_rmem echo 4096 87380 16777216 > /proc/sys/net/ipv4/tcp_wmem $SYSCTL net.ipv4.udp_rmem_min=16384 $SYSCTL net.ipv4.udp_wmem_min=16384 $SYSCTL net.core.rmem_default=16777216 $SYSCTL net.core.wmem_default=16777216 $SYSCTL net.core.rmem_max=16777216 $SYSCTL net.core.wmem_max=16777216 # Increase Core number of incoming connections backlog. $SYSCTL net.core.netdev_max_backlog=50000 $SYSCTL net.core.dev_weight=64 $SYSCTL net.ipv4.tcp_max_syn_backlog=30000 # Increase the IPv4 tcp-time-wait buckets pool size. $SYSCTL net.ipv4.tcp_max_tw_buckets=2000000 # Reuse time-wait connections and Turn Off recycling. # Recycling can break clients behind Network Address Translation Networks. $SYSCTL net.ipv4.tcp_tw_reuse=1 $SYSCTL net.ipv4.tcp_tw_recycle=0 $SYSCTL net.ipv4.tcp_fin_timeout=10 # Increase Core number of incoming connections. $SYSCTL net.core.somaxconn=32768 # Increase the maximum Core amount of option memory buffers. $SYSCTL net.core.optmem_max=65535 # Disconnect dead TCP connections after 1 minute. $SYSCTL net.ipv4.tcp_keepalive_time=60 # Determines the wait time between Alive interval probes reducing it from 75 sec to 15. $SYSCTL net.ipv4.tcp_keepalive_intvl=15 # Determines the number of probes before timing out reducing from 9 sec to 5 sec. $SYSCTL net.ipv4.tcp_keepalive_probes=5 # Disable TCP Orphans Retries, and limit the Maximum number of orphans. # Each orphan can eat up to 16M (max wmem) which it's not Swappable memory. $SYSCTL net.ipv4.tcp_orphan_retries=0 $SYSCTL net.ipv4.tcp_max_orphans=16384 # Increase IPv4 maximum memory used to reassemble IP fragments. $SYSCTL net.ipv4.ipfrag_high_thresh=512000 $SYSCTL net.ipv4.ipfrag_low_thresh=446464 # Don't cache ssthresh from previous connection. $SYSCTL net.ipv4.tcp_no_metrics_save=1 $SYSCTL net.ipv4.tcp_moderate_rcvbuf=1 # Increase UNIX size of RPC datagram queue length. $SYSCTL net.unix.max_dgram_qlen=50 # Increase IPv4 TCP queue length. $SYSCTL net.ipv4.neigh.default.proxy_qlen=96 $SYSCTL net.ipv4.neigh.default.unres_qlen=6 # Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you. $SYSCTL net.ipv4.tcp_ecn=1 $SYSCTL net.ipv4.tcp_reordering=3 # How many times to retry killing an alive TCP connection? $SYSCTL net.ipv4.tcp_retries2=15 $SYSCTL net.ipv4.tcp_retries1=3 # Avoid falling back to slow start after a connection goes idle # keeps our cwnd large with the keep alive connections (kernel > 3.6) $SYSCTL net.ipv4.tcp_slow_start_after_idle=0 # Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7) $SYSCTL net.ipv4.tcp_fastopen=3 # For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12). $SYSCTL net.core.default_qdisc=fq_codel # Ensure immediate subsequent connections use the new values. $SYSCTL net.ipv4.route.flush=1 $SYSCTL net.ipv6.route.flush=1 # Allowed local port range. echo 18000 65535 >/proc/sys/net/ipv4/ip_local_port_range # Change TCP Congestion Window from 1 to 10 defrt=`ip route | grep "^default" | head -1` ip route change $defrt initcwnd 10 # Manual process can be as follows: # Run ip route command # Output would be: # default via 104.236.64.1 dev eth0 # Then, run the following command using upper IP address: # ip route change default via 104.236.64.1 dev eth0 proto kernel initcwnd 10 #----------------------------------------------------------------------- ## ## DNS/ARP Optimization Rules ## # Setup DNS threshold for ARP Entries # The minimum number of entries to keep in the ARP cache. The garbage collector # will not run if there are fewer than this number of entries in the cache. # cat /proc/sys/net/ipv4/neigh/default/gc_thresh1 # Default Value: 128 $SYSCTL net.ipv4.neigh.default.gc_thresh1=512 # it can be 1024 for dedicated DNS Servers # The soft maximum number of entries to keep in the ARP cache. The garbage collector will # allow the number of entries to exceed this for 5 seconds before collection will be performed. # cat /proc/sys/net/ipv4/neigh/default/gc_thresh2 # Default Value: 512 $SYSCTL net.ipv4.neigh.default.gc_thresh2=1024 # it can be 2048 for dedicated DNS Servers # The hard maximum number of entries to keep in the ARP cache. The garbage collector will # always run if there are more than this number of entries in the cache. # cat /proc/sys/net/ipv4/neigh/default/gc_thresh3 # Default Value: 1024 $SYSCTL net.ipv4.neigh.default.gc_thresh3=2048 # it can be 4096 for dedicated DNS Servers # Force gc to clean-up quickly # How frequently the garbage collector for neighbour entries should attempt to run. # cat /proc/sys/net/ipv4/neigh/default/gc_interval # Default Value: 30 Minutes $SYSCTL net.ipv4.neigh.default.gc_interval=120 # 2 hours # Set ARP cache entry time out # Determines how often to check for stale neighbour entries. When a neighbour # entry is considered stale it is resolved again before sending data to it. # cat /proc/sys/net/ipv4/neigh/default/gc_stale_time # Default value: 60 Minutes # Change it to: $SYSCTL net.ipv4.neigh.default.gc_stale_time=240 # 4 hours #----------------------------------------------------------------------- ## ## IPtables/Netfilter Firewall Optimization Rules ## # TIME_WAIT state after a FIN, to handle any remaining packets in the network. $SYSCTL net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait=5 # for Debian use $SYSCTL net.netfilter.nf_conntrack_tcp_timeout_time_wait=5 # for Debian and Red Hat use # Increase Netfilter Count Connection Tracking # cat /proc/sys/net/nf_conntrack_max # cat /proc/sys/net/netfilter/nf_conntrack_max # Default Value: 31786 # Usually multiplying default by 6 or 8 is decent. 31786 * 6 = 190716 # To watch live connections: Run this command > watch /sbin/sysctl net.netfilter.nf_conntrack_count $SYSCTL net.ipv4.netfilter.ip_conntrack_max=190716 # for Debian use only $SYSCTL net.netfilter.nf_conntrack_max=190716 # for Debian and Red Hat use # Increase Netfilter hash-table size # Default values: # cat /sys/module/nf_conntrack/parameters/hashsize # 7969 # cat /sys/module/nf_conntrack_ipv4/parameters/hashsize # 7969 # cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets # 8192 # Note: The rule of thumb is to allow no more than 8 connections per bucket. # Meaning, based on conntrack_max value of 190716, then hashsize should be 190716 / 8 = 24576 echo 24576 > /sys/module/nf_conntrack/parameters/hashsize echo 24576 > /sys/module/nf_conntrack_ipv4/parameters/hashsize # Decrease Netfilter default time-out values # sysctl -a | grep conntrack | grep timeout # Default value: 432000 which is 5 days! $SYSCTL net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=600 # 10 Minutes - for Debian Use $SYSCTL net.netfilter.nf_conntrack_tcp_timeout_established=600 # 10 Minutes - For Debian and Red Hat Use # Netfilter xt_recent Module Parameters # Allow Change Permission chmod 711 /sys/module/xt_recent/parameters/ip_pkt_list_tot chmod 711 /sys/module/xt_recent/parameters/ip_list_tot # xt_recent restriction under Ubuntu 16.04 # Although I am changing the permission in previous commands, still due to restriction # on Ubuntu 16.04, echo command is not working anymore. You will be faced by this error # "-bash: echo: write error: Input/output error". However, I can set only one value at # the start up, I couldn't set all the values I want. So I need to remove xt_recent module # first then it will be added later on using the next commands. I choose to have ip_pkt_list_tot first. # With old Ubuntu or other Linux distribution, the following long command work fine, or the echo commands below will just work as well. # Enable only if you are using Ubuntu 16.04 Linux. #$MODPROBE -r xt_recent #$MODPROBE xt_recent ip_pkt_list_tot=255 #$MODPROBE xt_recent ip_list_tot=5000 # xt_recent ip_pkt_list_tot # cat /sys/module/xt_recent/parameters/ip_pkt_list_tot # Default value: 20 echo 255 > /sys/module/xt_recent/parameters/ip_pkt_list_tot # echo command doesn't work with Ubuntu 16.04 # xt_recent ip_list_tot # cat /sys/module/xt_recent/parameters/ip_list_tot # Default value: 100 echo 5000 > /sys/module/xt_recent/parameters/ip_list_tot # You can set it to 50000 or more if needed - echo command doesn't work with Ubuntu 16.04 #----------------------------------------------------------------------- ## ## Apply Sysctl Rules ## $SYSCTL -p #-----------------------------------------------------------------------