forked from DevOps/deploy.stack
chore: 添加系统安全与性能优化配置文件
添加了 `limits.conf` 和 `sysctl.conf` 配置文件,用于优化系统资源限制、网络性能和安全性。这些配置包括增加文件句柄数、优化TCP连接、防止资源耗尽以及增强系统安全性等。
This commit is contained in:
9
etc/security/limits.conf
Normal file
9
etc/security/limits.conf
Normal file
@@ -0,0 +1,9 @@
|
||||
#<domain> <type> <item> <value>
|
||||
#
|
||||
|
||||
* soft nproc 65535
|
||||
* hard nproc 65535
|
||||
* soft nofile 65535
|
||||
* hard nofile 65535
|
||||
root soft nofile 65535
|
||||
root hard nofile 65535
|
||||
69
etc/sysctl.conf
Normal file
69
etc/sysctl.conf
Normal file
@@ -0,0 +1,69 @@
|
||||
# 网络桥接配置
|
||||
net.bridge.bridge-nf-call-ip6tables = 1
|
||||
net.bridge.bridge-nf-call-iptables = 1
|
||||
net.bridge.bridge-nf-call-arptables = 1
|
||||
net.ipv4.ip_forward = 1
|
||||
|
||||
# 减少TIME_WAIT数量(高并发场景)
|
||||
net.ipv4.tcp_keepalive_time = 600
|
||||
net.ipv4.tcp_keepalive_probes = 3
|
||||
net.ipv4.tcp_keepalive_intvl = 15
|
||||
|
||||
# 提升连接数和吞吐量
|
||||
net.core.somaxconn = 65535
|
||||
net.core.netdev_max_backlog = 32768
|
||||
|
||||
# 加快TCP回收和重用 (适用于短连接服务)
|
||||
net.ipv4.tcp_fin_timeout = 30
|
||||
net.ipv4.tcp_tw_reuse = 1
|
||||
|
||||
# 减少TIME_WAIT数量(高并发场景)
|
||||
net.ipv4.tcp_keepalive_time = 600
|
||||
net.ipv4.tcp_keepalive_probes = 3
|
||||
net.ipv4.tcp_keepalive_intvl = 15
|
||||
|
||||
# 内存缓存优化
|
||||
net.core.rmem_max = 16777216 # 接收窗口最大值
|
||||
net.core.wmem_max = 16777216 # 发送窗口最大值
|
||||
net.ipv4.tcp_rmem = 4096 87380 16777216
|
||||
net.ipv4.tcp_wmem = 4096 16384 16777216
|
||||
|
||||
vm.swappiness = 0 # 降低交换分区使用倾向
|
||||
vm.dirty_ratio = 20 # 系统级脏页占比阈值
|
||||
vm.dirty_background_ratio = 10 # 后台回写脏页阈值
|
||||
vm.dirty_expire_centisecs = 3000 # 脏页超时回写时间(单位:厘秒)
|
||||
|
||||
# 防止资源耗尽
|
||||
kernel.pid_max = 4194303 # 支持更多进程(容器场景需要)
|
||||
user.max_pid_namespaces = 14336 # 适应大量容器实例
|
||||
fs.file-max = 1000000 # 最大文件句柄数
|
||||
fs.protected_hardlinks = 1 # 禁止恶意硬链接操作
|
||||
fs.protected_symlinks = 1 # 禁止恶意软链接操作
|
||||
|
||||
# 限制内核信息暴露(等保要求)
|
||||
kernel.kptr_restrict = 2
|
||||
kernel.dmesg_restrict = 1
|
||||
|
||||
# 禁止ICMP重定向(防中间人攻击)
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.all.secure_redirects = 0
|
||||
net.ipv6.conf.all.accept_redirects = 0
|
||||
|
||||
# 开启反向路径过滤(防IP欺骗)
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
|
||||
net.core.netdev_budget = 600 # 增加单次NAPI处理数据包数量
|
||||
net.ipv4.tcp_abort_on_overflow = 1 # 拒绝超过队列的请求(防雪崩)
|
||||
# 加速连接回收(短连接RPC场景)
|
||||
net.ipv4.tcp_fastopen = 3 # 开启TFO加速(需应用层支持)
|
||||
net.ipv4.tcp_slow_start_after_idle = 0
|
||||
net.ipv4.tcp_adv_win_scale = 2 # 增加应用层缓冲区比例
|
||||
net.ipv4.tcp_app_win = 64 # 保留最后64字节数据防重叠
|
||||
|
||||
# 防止SYN洪水
|
||||
net.ipv4.tcp_syncookies = 1 # 开启SYN Cookie
|
||||
net.ipv4.tcp_max_syn_backlog = 8192 # 最大SYN队列长度
|
||||
net.ipv4.tcp_synack_retries = 2 # SYN-ACK重试次数
|
||||
net.ipv4.tcp_syn_retries = 2 # SYN重试次数
|
||||
Reference in New Issue
Block a user