Kernel and TCP Tuning

Helping keep Puppy well documented
Post Reply
Message
Author
Mic67

Kernel and TCP Tuning

#1 Post by Mic67 »

Well after about 4 months of using Puppy Linux and linux in general, I havent remastered it, or compiled any applications yet. But I have spent most of my time - regarding the security aspects - in particular the IPTABLES and firewall, which allows you to control alot, and from the continued research and application thereof the upper limit of knowledge is almost -- practically limitless, at least for a newbie like me. Although I have enjoyed much sucess...

Forum memeber "Gn2" convinced me to go beyond just that knowledge - thanks.

If you are using a live PuppyCD you can make attempts to "tune your Kernel" without saving anything, as every reboot is a fresh OS, at least in my instance.

I have done alot of tuning, although not perfected it yet, I have had some success and aquired great knowledge of the linux system as a newbie.

There is alot more to be said of how and why - on kernel tuning, my purpose and success as well as issues. Here is some infor for those interested.


http://ipsysctl-tutorial.frozentux.net/ ... orial.html

Ipsysctl tutorial 1.0.4
Why this document

I started writing this documentation in the hopes that it would help people understand the IP options provided by Linux 2.4, and what you can do with these options. This is a plain text documentation, hoping to give the necessary understanding and help to configure your kernel on the fly, and to get it up and running in a way that suites you. A lot of these options can also be used to increase performance, as well as strengthen the security.

Intended audience & prerequisite knowledge

This document is intended for evyerone with an intermediate through advanced understanding of TCP/IP as well as the Linux operating system. You should understand TCP/IP fairly well, as well as understand what a packet header is and what parts it consists of. You will also need a lot of understanding of routing and the core of TCP/IP networking.

In general, this document was not intended for the novice Linux user, but you may have some luck checking through this document if you are experiencing specific needs. Be absolutely 100% certain that you have understood the variables in question before you do change them though, since some of them may cause really interesting results.

http://gentoo-wiki.com/HOWTO_TCP_Tuning

http://linux-net.osdl.org/index.php/Ip-sysctl

examples/proc/sys/net/ipv4
ip_forward
BOOLEAN 0 - disabled (default)
Forward Packets between interfaces. This variable is special, its change resets all configuration parameters to their default state (RFC1122 for hosts, RFC1812 for routers)

ip_default_ttl
INTEGER default 64


Even Better descriptions>>>
http://www-didc.lbl.gov/TCP-tuning/ip-sysctl-2.6.txt
/proc/sys/net/ipv4/* Variables:

example

tcp_fin_timeout - INTEGER
Time to hold socket in state FIN-WAIT-2, if it was closed
or even died unexpectedly. Default value is 60sec.
Usual value used in 2.2 was 180 seconds, you may restore
it, but remember that if your machine is even underloaded WEB server,
you risk to overflow memory with kilotons of dead sockets,
FIN-WAIT-2 sockets are less dangerous than FIN-WAIT-1,
because they eat maximum 1.5K of memory, but they tend
to live longer. Cf. tcp_max_orphans.

AND

NOTE THIS IS MISSING IN THE PUPPYOS.

tcp_syncookies - BOOLEAN
Only valid when the kernel was compiled with CONFIG_SYNCOOKIES
Send out syncookies when the syn backlog queue of a socket
overflows. This is to prevent against the common 'syn flood attack'
Default: FALSE

Note, that syncookies is fallback facility.
It MUST NOT be used to help highly loaded servers to stand
against legal connection rate. If you see synflood warnings
in your logs, but investigation shows that they occur
because of overload with legal connections, you should tune
another parameters until this warning disappear.
See: tcp_max_syn_backlog, tcp_synack_retries, tcp_abort_on_overflow.

syncookies seriously violate TCP protocol, do not allow
to use TCP extensions, can result in serious degradation
of some services (f.e. SMTP relaying), visible not by you,
but your clients and relays, contacting you. While you see
synflood warnings in logs not being really flooded, your server
is seriously misconfigured.


http://rootprompt.org/article.php3?article=903
Amateur Fortress Building in Linux
Part 1

http://www.gentoo.org/doc/en/security/s ... =printable
Kernel Security

http://www.cs.helsinki.fi/linux/linux-kernel/20
http://lists.netfilter.org/pipermail/ne ... /1716.html

http://www.samag.com/documents/s=8920/s ... /0311a.htm
Linux Kernel Tuning Using System Control

http://www.linuxforums.org/desktop/linu ... uning.html
Why tuning my system?

http://www.linuxforums.org/forum/linux- ... linux.html
-------------------------------
http://www.linux.com/guides/Linux-Files ... proc.shtml

"proc/sys/kernel/domainname, /proc/sys/kernel/hostname
"proc is very special in that it is also a virtual filesystem. It's sometimes referred to as a process information pseudo-file system. It doesn't contain 'real' files but runtime system information (e.g. system memory, devices mounted, hardware configuration, etc). For this reason it can be regarded as a control and information centre for the kernel."

By altering files located in this directory you can even read/change kernel parameters (sysctl) while the system is running.

These files can be controlled to set the NIS domainname and hostname of your box. For the classic darkstar.frop.org a simple: # echo "darkstar" > /proc/sys/kernel/hostname # echo "frop.org" > /proc/sys/kernel/domainname would suffice to set your hostname and NIS domainname. /proc/sys/kernel/osrelease, /proc/sys/kernel/ostype, /proc/sys/kernel/version The names make it pretty obvious what these fields contain: # cat /proc/sys/kernel/osrelease 2.2.12 # cat /proc/sys/kernel/ostype Linux # cat /proc/sys/kernel/version #4 Fri Oct 1 12:41:14 PDT 1999 The files osrelease and ostype should be clear enough. Version needs a little more clarification. The #4 means that this is the 4th kernel built from this source base and the date after it indicates the time the kernel was built. The only way to tune these values is to rebuild the kernel.

______________
"if your not the lead dog the view is always the same"
Last edited by Mic67 on Wed 14 Feb 2007, 03:19, edited 1 time in total.

User avatar
Gn2
Posts: 943
Joined: Mon 16 Oct 2006, 05:33
Location: virtual - Veni vidi, nihil est adpulerit

#2 Post by Gn2 »

With POWER comes responsibility - (Careful) - you may be in danger of hatching :P EGGDROPS

Combine w/ new TOR

Code: Select all

cal -3

awk -F: '{print $1 "," $5}' /etc/passwd | sort

tail --follow=name /var/log/httpd/access_log | awk '/mambo|xmlrpc.php|drupal/ \
{ system("iptables -A INPUT -p tcp --dport 80 --source " $1 " -j DROP") }'

Post Reply