20160805 Linux Kernel Parameter

 

 

 

Linux Kernel Parameter

 

 

 

 

 

 

 

 

■ 리눅스 커널 변수(Linux Kernel Parameter)에 대해서

-> 리눅스 시스템의 커널 변수의 값을 제어하여 시스템을 최적화할 수 있는 방식이다.

-> 리눅스의 커널 패러미터는 /proc/sys 디렉토리에 존재한다.

 

(예) net.ipv4.icmp_echo_ignore_all <---> /proc/sys/net/ipv4/icmp_echo_ignore_all

 

■ 커널 패러미터 설정 방법

(임시적) # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

(영구적) # sysctl -w net.ipv4.icmp_echo_ignore_all=1 ; sysctl -p

or

# vi /etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all = 1

# sysctl -p

 

■ sysctl CMD, /etc/sysctl.conf

 

(1) sysctl CMD

 

NAME

sysctl - configure kernel parameters at runtime

 

SYNOPSIS

sysctl [-n] [-e] variable ...

sysctl [-n] [-e] [-q] -w variable=value ...

sysctl [-n] [-e] [-q] -p <filename>

sysctl [-n] [-e] -a

sysctl [-n] [-e] -A

 

DESCRIPTION

sysctl is used to modify kernel parameters at runtime. The parameters

available are those listed under /proc/sys/. Procfs is required for

sysctl(8) support in Linux. You can use sysctl(8) to both read and

write sysctl data.

 

PARAMETERS

-n Use this option to disable printing of the key name when print-

ing values.

 

-w Use this option when you want to change a sysctl setting.

 

-p Load in sysctl settings from the file specified or

/etc/sysctl.conf if none given. Specifying - as filename means

reading data from standard input.

 

-a Display all values currently available.

 

-A Same as -a

 

(명령어 형식)

# sysctl -a (# sysctl -a | grep icmp)

# sysctl -p (/etc/sysctl.conf)

# sysctl -n net.ipv4.icmp_echo_ignore_all

# sysctl -w net.ipv4.icmp_echo_ignore_all=0

 

 

 

[실습] sysctl CMD

 

■ 대상 선정

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 0

 

# sysctl -a

.... (생략) ....

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 0

 

# sysctl -n net.ipv4.ip_forward

0

 

# sysctl -w net.ipv4.ip_forward=1

net.ipv4.ip_forward = 1

 

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 1

 

# cat /proc/sys/net/ipv4/ip_forward

1

 

# cat /etc/sysctl.conf | grep ip_forward

net.ipv4.ip_forward = 0

 

# sysctl -w net.ipv4.ip_forward=0

net.ipv4.ip_forward = 0

 

# cat /proc/sys/net/ipv4/ip_forward

0

 

# cat /etc/sysctl.conf | grep ip_forward

net.ipv4.ip_forward = 0

 

# vi /etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details.   # Controls IP packet forwarding [수정전] net.ipv4.ip_forward = 0   [수정후] net.ipv4.ip_forward = 1   .... (중략) ....

 

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 0

 

# cat /proc/sys/net/ipv4/ip_forward

0

 

# sysctl -p

net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 4294967295 kernel.shmall = 268435456

 

# sysctl -a | grep ip_forward

net.ipv4.ip_forward = 1

 

# cat /proc/sys/net/ipv4/ip_forward

1

 

 

 

(2) /etc/sysctl.conf 파일

 

# rpm -qa | grep kernel

kernel-2.6.18-411.el5 kernel-2.6.18-194.el5 kernel-headers-2.6.18-411.el5

kernel-2.6.18-411.el5 : 커널 패키지

kernel-headers-2.6.18-411.el5 : 커널 소스코드(EX: 컴파일해서 사용하는 드라이버 설치시필요)

 

# yum -y install kernel-doc

-> 출력내용 생략

 

# rpm -ql kernel-doc | grep sysctl

/usr/share/doc/kernel-doc-2.6.18/Documentation/networking/ip-sysctl.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/networking/ipvs-sysctl.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/README /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/abi.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/fs.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/kernel.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/sunrpc.txt /usr/share/doc/kernel-doc-2.6.18/Documentation/sysctl/vm.txt

 

 

 

■ /etc/sysctl.conf example file

# The following is suitable for dedicated web server, mail, ftp server etc. # --------------------------------------- # BOOLEAN Values: # a) 0 (zero) - disabled / no / false # b) Non zero - enabled / yes / true # -------------------------------------- # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename # Useful for debugging multi-threaded applications kernel.core_uses_pid = 1 # Controls the use of TCP syncookies #net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_synack_retries = 2 ########## IPv4 networking start ############## # Send redirects, if router, but this is just server net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Accept packets with SRR option? No net.ipv4.conf.all.accept_source_route = 0 # Accept Redirects? No, this is not router net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 # Log packets with impossible addresses to kernel log? yes net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast net.ipv4.icmp_echo_ignore_broadcasts = 1 # Prevent against the common 'syn flood attack' net.ipv4.tcp_syncookies = 1 # Enable source validation by reversed path, as specified in RFC1812 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 ########## IPv6 networking start ############## # Number of Router Solicitations to send until assuming no routers are present. # This is host and not router net.ipv6.conf.default.router_solicitations = 0 # Accept Router Preference in RA? net.ipv6.conf.default.accept_ra_rtr_pref = 0 # Learn Prefix Information in Router Advertisement net.ipv6.conf.default.accept_ra_pinfo = 0 # Setting controls whether the system will accept Hop Limit settings from a router advertisement net.ipv6.conf.default.accept_ra_defrtr = 0 #router advertisements can cause the system to assign a global unicast address to an interface net.ipv6.conf.default.autoconf = 0 #how many neighbor solicitations to send out per address? net.ipv6.conf.default.dad_transmits = 0 # How many global unicast IPv6 addresses can be assigned to each interface? net.ipv6.conf.default.max_addresses = 1 ########## IPv6 networking ends ############## #Enable ExecShield protection kernel.exec-shield = 1 kernel.randomize_va_space = 1 # TCP and memory optimization # increase TCP max buffer size setable using setsockopt() #net.ipv4.tcp_rmem = 4096 87380 8388608 #net.ipv4.tcp_wmem = 4096 87380 8388608 # increase Linux auto tuning TCP buffer limits #net.core.rmem_max = 8388608 #net.core.wmem_max = 8388608 #net.core.netdev_max_backlog = 5000 #net.ipv4.tcp_window_scaling = 1 # increase system file descriptor limit fs.file-max = 65535 #Allow for more PIDs kernel.pid_max = 65536 #Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000

 

참고사이트

http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/