可以通過/etc/sysctl.conf控制和配置 Linux內(nèi)核及網(wǎng)絡(luò)設(shè)置。 # 避免放大攻擊 net.ipv4.icmp_echo_ignore_broadcasts = 1 # 開啟惡意icmp錯誤消息保護(hù) net.ipv4.icmp_ignore_bogus_error_responses = 1 # 開啟SYN洪水攻擊保護(hù) net.ipv4.tcp_syncookies = 1 # 開啟并記錄欺騙,源路由和重定向包 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # 處理無源路由的包 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # 開啟反向路徑過濾 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # 確保無人能修改路由表 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # 不充當(dāng)路由器 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # 開啟execshild kernel.exec-shield = 1 kernel.randomize_va_space = 1 # IPv6設(shè)置 net.ipv6.conf.default.router_solicitations = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.autoconf = 0 net.ipv6.conf.default.dad_transmits = 0 net.ipv6.conf.default.max_addresses = 1 # 優(yōu)化LB使用的端口 # 增加系統(tǒng)文件描述符限制 fs.file-max = 65535 # 允許更多的PIDs (減少滾動翻轉(zhuǎn)問題); may break some programs 32768 kernel.pid_max = 65536 # 增加系統(tǒng)IP端口限制 net.ipv4.ip_local_port_range = 2000 65000 # 增加TCP最大緩沖區(qū)大小 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 # 增加Linux自動調(diào)整TCP緩沖區(qū)限制 # 最小,默認(rèn)和最大可使用的字節(jié)數(shù) # 最大值不低于4MB,如果你使用非常高的BDP路徑可以設(shè)置得更高 # Tcp窗口等 net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 |