linux 系统调优步骤 例

修改/etc/profile文件,加入:

  ulimit -u 10240

  ulimit -n 4096

  ulimit -d unlimited

  ulimit -m unlimited

  ulimit -s unlimited

  ulimit -t unlimited

  ulimit -v unlimited

  修改/etc/rc.d/rc.local,加入:

  echo ‘131072′ > /proc/sys/fs/file-max

  echo ‘131072′ > /proc/sys/fs/inode-max

  (1G内存值修改成:65535 2G内存值修改成:131072 4G内存值修改成:262144)

  修改/etc/sysctl.conf文件,加入:

  net.core.rmem_default = 8388608

  net.core.rmem_max = 8388608

  net.core.wmem_default = 8388608

  net.core.wmem_max = 8388608

  net.ipv4.tcp_timestamps = 0

  net.ipv4.tcp_sack =1

  net.ipv4.tcp_window_scaling = 1

  net.core.netdev_max_backlog=3000

  #Modify i-node

  sys.fs.file-max= 65535

  sys.fs.inode-max= 65535

  #Set System Memory

  vm.bdflush="30 500 0 0 500 3000 60 20 0"

  vm.kswapd="1024 32 64"

  #Disable HackAttack!

  net.ipv4.conf.eth0.accept_source_route=0

  net.ipv4.conf.lo.accept_source_route=0

  net.ipv4.conf.default.accept_source_route=0

  net.ipv4.conf.all.accept_source_route=0

  net.ipv4.conf.lo.accept_redirects=0

  net.ipv4.conf.all.accept_redirects=0

  net.ipv4.conf.eth0.accept_redirects=0

  net.ipv4.conf.default.accept_redirects=0

  net.ipv4.conf.lo.secure_redirects=0

  net.ipv4.conf.all.secure_redirects=0

  net.ipv4.conf.eth0.secure_redirects=0

  net.ipv4.conf.default.secure_redirects=0

  net.ipv4.conf.eth0.send_redirects=0

  net.ipv4.conf.lo.send_redirects=0

  net.ipv4.conf.default.send_redirects=0

  net.ipv4.conf.all.send_redirects=0

  net.ipv4.tcp_syncookies=1

  net.ipv4.icmp_echo_ignore_broadcasts=1

  net.ipv4.icmp_ignore_bogus_error_responses=1

  #Web Servers

  net.ipv4.tcp_tw_reuse=1

  net.ipv4.tcp_tw_recycle=1

  net.ipv4.tcp_fin_timeout=30

  net.ipv4.tcp_keepalive_time=1800

  net.ipv4.core.wmem_max=16777216

  net.ipv4.core.rmem_max=16777216

  net.ipv4.tcp_rmem="4096 87380 8388608"

  net.ipv4.tcp.wmem="4096 87380 8388608"

  net.ipv4.tcp_max_syn_backlog=8192

  防火墙安全:

  iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

  也有人写作

  iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

  --limit 1/s 限制syn并发数每秒1次,可以根据自己的需要修改

  防止各种端口扫描

  iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

  Ping洪水攻击(Ping of Death)

  iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

  备注说明:(相对比较激进的网络参数调整)

  # Use TCP syncookies when needed

  net.ipv4.tcp_syncookies = 1

  # Enable TCP window scaling

  net.ipv4.tcp_window_scaling: = 1

  # Increase TCP max buffer size

  net.core.rmem_max = 16777216

  net.core.wmem_max = 16777216

  # Increase Linux autotuning TCP buffer limits

  net.ipv4.tcp_rmem = 4096 87380 8388608

  net.ipv4.tcp_wmem = 4096 65536 8388608

  # Increase number of ports available

  net.ipv4.ip_local_port_range = 1024 65000


你可能感兴趣的:(linux,调优)