Optimize sysctl.conf

# vi /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
 
# Disables packet forwarding
net.ipv4.ip_forward=0
 
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
 
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
 
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
 
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.lo.log_martians = 0
net.ipv4.conf.eth0.log_martians = 0
 
# Disables IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.lo.accept_source_route = 0
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
 
# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
 
# Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
 
# Disables the magic-sysrq key
kernel.sysrq = 0
 
# Decrease the time default value for tcp_fin_timeout connection
net.ipv4.tcp_fin_timeout = 15
 
# Decrease the time default value for tcp_keepalive_time connection
net.ipv4.tcp_keepalive_time = 1800
 
# Turn off the tcp_window_scaling
net.ipv4.tcp_window_scaling = 0
 
# Turn off the tcp_sack
net.ipv4.tcp_sack = 0
 
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
 
# Enable TCP SYN Cookie Protection
net.ipv4.tcp_syncookies = 1
 
# Enable ignoring broadcasts request
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Enable bad error message Protection
net.ipv4.icmp_ignore_bogus_error_responses = 1
 
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
 
# Increases the size of the socket queue (effectively, q0).
net.ipv4.tcp_max_syn_backlog = 1024
 
# Increase the tcp-time-wait buckets pool size
net.ipv4.tcp_max_tw_buckets = 1440000
 
# Allowed local port range
net.ipv4.ip_local_port_range = 16384 65536

For changes to take affect right away

MySQL Optimization (my.cnf)

Source

# vi /etc/my.cnf

#opteron 852 4GB RAM
[mysqld]
safe-show-database
max_connections = 500
key_buffer = 150M
myisam_sort_buffer_size = 64M
join_buffer_size = 1M
read_buffer_size = 1M
sort_buffer_size = 1M
table_cache = 1024
thread_cache_size = 100
wait_timeout = 300
connect_timeout = 10
max_allowed_packet = 16M
max_connect_errors = 10
query_cache_limit = 1M
query_cache_size = 32M
query_cache_type = 1
skip-innodb
thread_concurrency=4
 
[mysqld_safe]
open_files_limit = 8192
 
[mysqldump]
quick
max_allowed_packet = 16M
 
[myisamchk]
key_buffer = 64M
sort_buffer = 64M
read_buffer = 16M
write_buffer = 16M[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
skip-locking
#skip-networking
safe-show-database
query_cache_limit=1M
query_cache_size=128M ## 32MB for every 1GB of RAM
query_cache_type=1
max_user_connections=200
max_connections=500
interactive_timeout=10
wait_timeout=20
connect_timeout=20
thread_cache_size=128
key_buffer=256M ## 64MB for every 1GB of RAM
join_buffer=1M
max_connect_errors=20
max_allowed_packet=16M
table_cache=1024
record_buffer=1M
sort_buffer_size=4M ## 1MB for every 1GB of RAM
read_buffer_size=4M ## 1MB for every 1GB of RAM
read_rnd_buffer_size=4M  ## 1MB for every 1GB of RAM
thread_concurrency=4 ## Number of CPUs x 2
myisam_sort_buffer_size=64M
server-id=1
log_slow_queries=/var/log/mysql-slow-queries.log
long_query_time=2
collation-server=latin1_general_ci
old-passwords
 
[mysql.server]
user=mysql
basedir=/var/lib
 
[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/lib/mysql/mysql.pid
open_files_limit=8192
 
[mysqldump]
quick
max_allowed_packet=16M
 
[mysql]
no-auto-rehash
#safe-updates
 
[isamchk]
key_buffer=32M
sort_buffer=32M
read_buffer=16M
write_buffer=16M
 
[myisamchk]
key_buffer=32M
sort_buffer=32M
read_buffer=16M
write_buffer=16M
 
[mysqlhotcopy]
interactive-timeout

How-to: Secure tmp directories on linux

source: www.eth0.us: How-To: Secure your temp directories

Every system needs temporary folders that any user is able to read and write BUT these directories should not be able to execute programs or scripts. Though this will only protect you from somebody running the script directly it will help with a large portion of the automated rootkits and trojans that script kiddies use. They will still be able to put the files on the system but they will be unable to execute them and create the back door. One of the biggest problems is php injection via apache in which people will have apache download and then run an exploit. Securing the temp directories is probably the single biggest thing you can do towards securing your server.

Tags: Server Linux security how-to

Preventing DoS Attacks using mod_dosevasive

source

Firewall settings are great for preventing Denial of Service (DoS) attacks, however it may not always be your only solution. The day has finally arrived when I found this excellent module called mod_dosevasive (DoS Evasive) which keeps track of how many requests each client makes to your server within intervals. If a client is being forceful with your server and making too many requests, then it is more than likely not just a web browser but some automated process unleashed on your site to try and take it down.

This handy Apache module we have found takes care of these issues. Let's get started by setting it up.

Tags: Linux

(IBM.com) System Administrators Toolkit: Monitoring a slow system

Source

About this series

The typical UNIX® administrator has a key range of utilities, tricks, and systems he or she uses regularly to aid in the process of administration. There are key utilities, command line chains, and scripts that are used to simplify different processes. Some of these tools come with the operating system, but a majority of the tricks come through years of experience and a desire to ease the system administrator's life. The focus of this series is on getting the most from the available tools across a range of different UNIX environments, including methods of simplifying administration in a heterogeneous environment.

Tags: Troubleshooting

Preventing DDoS Attacks

source: http://www.linuxsecurity.com/content/view/121960/49/

In this article I am trying to explain what DDOS is and how it can be prevented. DDOS happens due to lack of security awareness of the network/server owners. On a daily basis we hear that a particular machine is under DDOS attack or NOC has unplugged the machine due to DDOS attack . So DDOS has become one of the common issues in this electronics world. DDOS is like a disease which doesn't have an anti-viral developed. So we should be carefull while dealing with it . Never take it lightly. In this article i am trying to explain the steps/measures which will help us defend from DDOS attack ,up to a certain extend .

Tags: Linux

How to prevent spam

Source: http://www.wordsandpeople.com/security/how-to-prevent-spam.htm

Spam: If you have an email address I bet you're fed up with the unsolicited mail you receive. The increase in spam has virtually relegated email as an adult only facility. Spam is a waste of our time. Many spam emails are obscene, many are offensive or insulting to one's inteligence e.g. "I have a zillion pounds that I want to put into your bank account, please fax your bank account details to me...This is not a scam, honest!".

Tags: HELP