Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Sat 25 Oct 2014, 00:32
All times are UTC - 4
 Forum index » Advanced Topics » Puppy Projects » Documentation Project
Kernel and TCP Tuning
Moderators: Flash, JohnMurga, puppian
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
Page 1 of 1 Posts_count  
Author Message
Mic67

Joined: 30 Oct 2006
Posts: 478

PostPosted: Fri 02 Feb 2007, 13:48    Post_subject:  Kernel and TCP Tuning
Sub_title: For fun, prophet, security and understanding of the Linux system.
 

Well after about 4 months of using Puppy Linux and linux in general, I havent remastered it, or compiled any applications yet. But I have spent most of my time - regarding the security aspects - in particular the IPTABLES and firewall, which allows you to control alot, and from the continued research and application thereof the upper limit of knowledge is almost -- practically limitless, at least for a newbie like me. Although I have enjoyed much sucess...

Forum memeber "Gn2" convinced me to go beyond just that knowledge - thanks.

If you are using a live PuppyCD you can make attempts to "tune your Kernel" without saving anything, as every reboot is a fresh OS, at least in my instance.

I have done alot of tuning, although not perfected it yet, I have had some success and aquired great knowledge of the linux system as a newbie.

There is alot more to be said of how and why - on kernel tuning, my purpose and success as well as issues. Here is some infor for those interested.


http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html

Ipsysctl tutorial 1.0.4
Why this document

I started writing this documentation in the hopes that it would help people understand the IP options provided by Linux 2.4, and what you can do with these options. This is a plain text documentation, hoping to give the necessary understanding and help to configure your kernel on the fly, and to get it up and running in a way that suites you. A lot of these options can also be used to increase performance, as well as strengthen the security.

Intended audience & prerequisite knowledge

This document is intended for evyerone with an intermediate through advanced understanding of TCP/IP as well as the Linux operating system. You should understand TCP/IP fairly well, as well as understand what a packet header is and what parts it consists of. You will also need a lot of understanding of routing and the core of TCP/IP networking.

In general, this document was not intended for the novice Linux user, but you may have some luck checking through this document if you are experiencing specific needs. Be absolutely 100% certain that you have understood the variables in question before you do change them though, since some of them may cause really interesting results.

http://gentoo-wiki.com/HOWTO_TCP_Tuning

http://linux-net.osdl.org/index.php/Ip-sysctl

examples/proc/sys/net/ipv4
ip_forward
BOOLEAN 0 - disabled (default)
Forward Packets between interfaces. This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers)

ip_default_ttl
INTEGER default 64


Even Better descriptions>>>
http://www-didc.lbl.gov/TCP-tuning/ip-sysctl-2.6.txt
/proc/sys/net/ipv4/* Variables:

example

tcp_fin_timeout - INTEGER
Time to hold socket in state FIN-WAIT-2, if it was closed
or even died unexpectedly. Default value is 60sec.
Usual value used in 2.2 was 180 seconds, you may restore
it, but remember that if your machine is even underloaded WEB server,
you risk to overflow memory with kilotons of dead sockets,
FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1,
because they eat maximum 1.5K of memory, but they tend
to live longer. Cf. tcp_max_orphans.

AND

NOTE THIS IS MISSING IN THE PUPPYOS.

tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflows. This is to prevent against the common 'syn flood attack'
Default: FALSE

Note, that syncookies is fallback facility.
It MUST NOT be used to help highly loaded servers to stand
against legal connection rate. If you see synflood warnings
in your logs, but investigation shows that they occur
because of overload with legal connections, you should tune
another parameters until this warning disappear.
See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

syncookies seriously violate TCP protocol, do not allow
to use TCP extensions, can result in serious degradation
of some services (f.e. SMTP relaying), visible not by you,
but your clients and relays, contacting you. While you see
synflood warnings in logs not being really flooded, your server
is seriously misconfigured.


http://rootprompt.org/article.php3?article=903
Amateur Fortress Building in Linux
Part 1

http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=9&style=printable
Kernel Security

http://www.cs.helsinki.fi/linux/linux-kernel/20
http://lists.netfilter.org/pipermail/netfilter-devel/2003-July/012039.html02-08/1716.html

http://www.samag.com/documents/s=8920/sam0311a/0311a.htm
Linux Kernel Tuning Using System Control

http://www.linuxforums.org/desktop/linux_performance_tuning.html
Why tuning my system?

http://www.linuxforums.org/forum/linux-kernel/25649-kernel-tuning-linux.html
-------------------------------
http://www.linux.com/guides/Linux-Filesystem-Hierarchy/proc.shtml

"proc/sys/kernel/domainname, /proc/sys/kernel/hostname
"proc is very special in that it is also a virtual filesystem. It's sometimes referred to as a process information pseudo-file system. It doesn't contain 'real' files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc). For this reason it can be regarded as a control and information centre for the kernel."

By altering files located in this directory you can even read/change kernel parameters (sysctl) while the system is running.

These files can be controlled to set the NIS domainname and hostname of your box. For the classic darkstar.frop.org a simple: # echo "darkstar" > /proc/sys/kernel/hostname # echo "frop.org" > /proc/sys/kernel/domainname would suffice to set your hostname and NIS domainname. /proc/sys/kernel/osrelease, /proc/sys/kernel/ostype, /proc/sys/kernel/version The names make it pretty obvious what these fields contain: # cat /proc/sys/kernel/osrelease 2.2.12 # cat /proc/sys/kernel/ostype Linux # cat /proc/sys/kernel/version #4 Fri Oct 1 12:41:14 PDT 1999 The files osrelease and ostype should be clear enough. Version needs a little more clarification. The #4 means that this is the 4th kernel built from this source base and the date after it indicates the time the kernel was built. The only way to tune these values is to rebuild the kernel.

______________
"if your not the lead dog the view is always the same"

Edited_time_total
Back to top
View user's profile Send_private_message 
Gn2


Joined: 16 Oct 2006
Posts: 936
Location: virtual - Veni vidi, nihil est adpulerit

PostPosted: Sat 03 Feb 2007, 00:34    Post_subject:  

With POWER comes responsibility - (Careful) - you may be in danger of hatching Razz EGGDROPS

Combine w/ new TOR

Code:
cal -3

awk -F: '{print $1 "," $5}' /etc/passwd | sort

tail --follow=name /var/log/httpd/access_log | awk '/mambo|xmlrpc.php|drupal/ \
{ system("iptables -A INPUT -p tcp --dport 80 --source " $1 " -j DROP") }'
Back to top
View user's profile Send_private_message 
Display_posts:   Sort by:   
Page 1 of 1 Posts_count  
Post_new_topic   Reply_to_topic View_previous_topic :: View_next_topic
 Forum index » Advanced Topics » Puppy Projects » Documentation Project
Jump to:  

Rules_post_cannot
Rules_reply_cannot
Rules_edit_cannot
Rules_delete_cannot
Rules_vote_cannot
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0554s ][ Queries: 11 (0.0031s) ][ GZIP on ]