The /etc/sysctl.conf file contains kernel parameters that control how the Linux kernel interacts with various system resources. Modifying this file allows you to optimize performance, security, and resource management. In the context of Anti-DDoS measures for CentOS, these settings are designed to harden the system and improve its resilience to Distributed Denial of Service (DDoS) attacks.
Put this settings below in your /etc/sysctl.conf file and apply the settings with sysctl -p
kernel.printk = 4 4 1 7
kernel.panic = 10
kernel.sysrq = 0
kernel.shmmax = 4294967296
kernel.shmall = 4194304
kernel.core_uses_pid = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
vm.swappiness = 20
vm.dirty_ratio = 80
vm.dirty_background_ratio = 5
fs.file-max = 2097152
net.core.netdev_max_backlog = 262144
net.core.rmem_default = 31457280
net.core.rmem_max = 67108864
net.core.wmem_default = 31457280
net.core.wmem_max = 67108864
net.core.somaxconn = 65535
net.core.optmem_max = 25165824
net.ipv4.neigh.default.gc_thresh1 = 4096
net.ipv4.neigh.default.gc_thresh2 = 8192
net.ipv4.neigh.default.gc_thresh3 = 16384
net.ipv4.neigh.default.gc_interval = 5
net.ipv4.neigh.default.gc_stale_time = 120
net.netfilter.nf_conntrack_max = 10000000
net.netfilter.nf_conntrack_tcp_loose = 0
net.netfilter.nf_conntrack_tcp_timeout_established = 1800
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 10
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 20
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 20
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 20
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 20
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 10
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.ip_local_port_range = 1024 65000
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.route.flush = 1
net.ipv4.route.max_size = 8048576
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_congestion_control = htcp
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
net.ipv4.tcp_rmem = 4096 87380 33554432
net.ipv4.udp_rmem_min = 16384
net.ipv4.tcp_wmem = 4096 87380 33554432
net.ipv4.udp_wmem_min = 16384
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 400000
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_max_syn_backlog = 16384
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_ecn = 2
net.ipv4.tcp_fin_timeout = 10
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 10
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
Here’s an explanation of these settings:
kernel.panic = 10: Reboots the system 10 seconds after a kernel panic, ensuring minimal downtime in case of critical failure.kernel.sysrq = 0: Disables the SysRq key, which provides low-level access to system commands and could be a potential security risk.kernel.core_uses_pid = 1: Adds the process ID (PID) to the core dump filename, helpful for debugging.kernel.printk = 4 4 1 7: Controls logging levels. This setting adjusts kernel logging verbosity.vm.swappiness = 20: Controls how aggressively the system swaps memory to disk. Lower values (like 20) reduce swapping, keeping processes in RAM, which improves performance.vm.dirty_ratio = 80: The percentage of system memory that can be filled with “dirty” pages (i.e., pages that need to be written to disk) before processes are forced to write to disk.vm.dirty_background_ratio = 5: When the percentage of dirty pages reaches this value, background processes start writing to disk.fs.file-max = 2097152: Sets the maximum number of file descriptors (open files) the system can handle. This is essential for high-traffic servers.net.core.netdev_max_backlog = 262144: Maximum number of packets that can be queued on the network interface. Higher values allow more incoming traffic to be buffered.net.core.rmem_max, net.core.wmem_max: Adjust the maximum receive (rmem) and send (wmem) buffer sizes for network sockets, helping handle large amounts of data efficiently.net.core.somaxconn = 65535: Increases the maximum number of connections that can be queued for processing, useful for web servers under high load.net.ipv4.neigh.default.gc_thresh1/2/3: Manage neighbor (ARP) table limits, which helps optimize memory usage by controlling when to garbage collect stale ARP entries.net.netfilter.nf_conntrack_max = 10000000: Sets the maximum number of tracked connections in the connection tracking table. A higher value is crucial for handling many simultaneous connections during DDoS attacks.net.netfilter.nf_conntrack_tcp_loose = 0: Enables strict TCP connection tracking, discarding loose TCP connections.net.netfilter.nf_conntrack_tcp_timeout_*: Defines various TCP connection timeouts (e.g., for established connections, closed connections, FIN_WAIT). Reducing these timeouts helps prevent resource exhaustion under attack.net.ipv4.tcp_max_tw_buckets = 1440000: Sets the maximum number of TCP Time-Wait sockets. A higher value helps handle large numbers of connections.net.ipv4.tcp_tw_recycle = 0: Disables fast recycling of Time-Wait sockets, preventing issues with NAT and slow connections.net.ipv4.tcp_tw_reuse = 1: Allows reusing Time-Wait sockets for new connections, which is useful for high-traffic environments.net.ipv4.tcp_syncookies = 1: Enables TCP SYN cookies to help prevent SYN flood attacks, a common DDoS technique.net.ipv4.tcp_max_syn_backlog = 16384: Increases the size of the SYN backlog queue, allowing more connections to be tracked during high-load conditions.net.ipv4.tcp_fin_timeout = 10: Reduces the FIN_WAIT timeout, releasing resources more quickly during TCP connection termination.net.ipv4.icmp_echo_ignore_broadcasts = 1: Prevents the system from responding to broadcast ICMP requests, which can be exploited in amplification attacks.net.ipv4.icmp_ignore_bogus_error_responses = 1: Ignores erroneous ICMP error messages, enhancing security.net.ipv4.tcp_rfc1337 = 1: Implements a fix for a known TCP vulnerability (RFC1337) that could lead to attacks on connections in the TIME_WAIT state.net.ipv4.conf.all.accept_redirects = 0: Disables ICMP redirect messages, which can be used for man-in-the-middle attacks.net.ipv4.conf.all.accept_source_route = 0: Prevents the system from accepting source-routed packets, which can be used for network spoofing.