Kernel tuning – sysctl

Here is some of my kernel tuning

# Tune network memory
net.core.wmem_max = 4194304
net.core.rmem_max = 4194304
net.core.somaxconn = 65535
net.core.netdev_max_backlog = 65535
net.ipv4.tcp_max_syn_backlog = 65535
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_abort_on_overflow = 1
# Disable IPV6 if no use.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Shorten nf_conntrack timeout values
net.netfilter.nf_conntrack_generic_timeout = 180
net.netfilter.nf_conntrack_tcp_timeout_syn_sent = 30
net.netfilter.nf_conntrack_tcp_timeout_syn_recv = 30
net.netfilter.nf_conntrack_tcp_timeout_established = 86400
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 40
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 30
net.netfilter.nf_conntrack_tcp_timeout_last_ack = 30
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 40
net.netfilter.nf_conntrack_tcp_timeout_close = 10
net.netfilter.nf_conntrack_tcp_timeout_max_retrans = 60
net.netfilter.nf_conntrack_tcp_timeout_unacknowledged = 60
# Need more buckets in nf_conntrack
net.nf_conntrack_max = 200000

Additional work on plugins after upgraded to WP 3.6

I’ve just finished upgrade WP 3.6 and related plugins. There are two plugins generate Error message

PHP Strict Standards: call_user_func_array() expects parameter 1 to be a valid callback, non-static method GoogleSitemapGeneratorLoader::Enable() should not be called statically in /wp-includes/plugin.php on line 406, referer: http://www.refmanual.com/wp-admin/plugin-editor.php?file=google-xml-sitemaps-v3-for-qtranslate%2Fsitemap-core.php&plugin=google-xml-sitemaps-v3-for-qtranslate%2Fsitemap-ui.php

PHP Strict Standards: Non-static method GoogleSitemapGeneratorLoader::GetBaseName() should not be called statically in /wp-content/plugins/google-xml-sitemaps-v3-for-qtranslate/sitemap.php on line 114, referer: http://www.refmanual.com/wp-admin/plugin-editor.php?file=google-xml-sitemaps-v3-for-qtranslate%2Fsitemap-core.php&plugin=google-xml-sitemaps-v3-for-qtranslate%2Fsitemap-ui.php

PHP Strict Standards: call_user_func_array() expects parameter 1 to be a valid callback, non-static method GoogleSitemapGeneratorLoader::CallHtmlShowHelpList() should not be called statically in /wp-includes/plugin.php on line 173, referer: http://www.refmanual.com/wp-admin/plugin-editor.php?file=google-xml-sitemaps-v3-for-qtranslate%2Fsitemap-core.php&plugin=google-xml-sitemaps-v3-for-qtranslate%2Fsitemap-ui.php

PHP Strict Standards: Declaration of W3_Cache_Memcached::delete() should be compatible with W3_Cache_Base::delete($key, $group = '') in /wp-content/plugins/w3-total-cache/lib/W3/Cache/Memcached.php on line 15, referer: http://www.refmanual.com/wp-admin/plugins.php Continue reading

Prevent DNS attacks

Recently, our network suffered from heavy DNS attack, udp flood, reflection attack..etc.

After a lots of tcpdump, capturing data from the network, and we found there are a lot of IPs from China, resolving IP from our public DNS server (actually just open for all clients only).

And because of this, they flood our international circuit. DNS reflection attack work in the way as normal name service lookup, but attacker continuously send request to DNS server, and because return IP packet contain information that make the packet size 3-5 times larger than what attacker sent us.

To prevent this happen again, we have to restrict DNS server to reply recursion request only for known networks/hosts.

# cat /etc/named.conf Continue reading