About me

My profile

My links

My town

My picture

Contact me

Home Page

Tune GNU/Linux

Fine Tune GNU/Linux

Fire Small ISP

Name Server

Fine Tuning Your GNU/Linux

I have tried to mention some resources on tuning a GNU/Linux OS to reach the highest levels of performance. The tuning tips provided here are merely the collection of all information gathered from the Net and some of my experiences which I have got during my brush with the GNU/Linux world. It is recommanded to backup all your data before tuning your GNU/Linux box, because tuning may induces some changes which may not be compatible with you current setup.

I have tried these tunings on Intel P-III and Intel P-IV platforms with 128 MB RAM.

Firewall

Several tips and tricks can help us to create a tight firewall. The first thing we have to look at the local port numbers that the system uses for outgoing connections. All TCP connections have a source port and address, and a destination port and address explicitly

{source address ,source port,destination address destination port}

If we want to take the control on ports connections are allowed to go out on - and thus the incoming packets we will need to allow in - we have to know the port range. Otherwise, to let connections out and the reply data back in, we'll need to allow all the ports in, 65,535 of them.
We can set it in to the kernel before recompilation


/usr/src/linux/net/ipv4/tcp_ipv4.c

/*
* This array holds the first and last local port number.
* For high-usage systems, use sysctl to change this to
* 32768-61000
*/
int sysctl_local_port_range[2] = { 1024, 4999 };

Or by the proc interface at any time (suggested: in the network startup script)

/proc/sys/net/ipv4/ip_local_port_range

We have to concern about out going and incoming addresses because outgoing connection will originate from that port range, allowing you tight control over outgoing and incoming rules.But IP-masqed connections do not originate from these defined local source ports, it means that services will not work properly unless and untill we use some type of proxy or have permissive rules to allow client connections.Let assumed that most of the IP-masqed connections appear to originate from ports in the 61000-65095 range.So in the server the IP - masqed connections are originating from ports 61000-65095 ,and connections from the server itself from 1024 to 4999, then we nedd two sets of rules because we have to handel each part seperately.
You also have to allow incoming firewall rules for the IP-masqed clients, and output rules for the server itself.So if you want to set the local port range on the IP-masqed server from 61000 to 65095 as you don't need more then 4000 simultaneous connections at a time then you can set the port by using proc ---

echo 61000 65095 > /proc/sys/net/ipv4/ip_local_port_range

Now we have to write the firewall rules for the connections origination from port number 61000 to 65095, and it is very simple to write the default deny policy and allow specific services.
example :-


ipchains -A output -s 0.0.0.0/0.0.0.0 61000:65095 -d 0.0.0.0/0.0.0.0
 80:80 -i eth0 -p 6 -j ACCEPT
 
ipchains -A input -s 0.0.0.0/0.0.0.0 80:80 -d 0.0.0.0/0.0.0.0 61000:65095
 ! -y -i eth0 -p 6 -j ACCEPT

As we know the SYN bit is responsible to initiate the connections ,so we have used the "! -y" - that means no packet with the SYN bit is set, that is why there should be packets from established connections coming in.
It may work for most of the common services.

A file transfer protocol (FTP) needs the remote FTP server to established inbound connections with the Server ( also with specific ports as the server may run Passive or Active FTP).
DNS relies heavily on UDP packets,depending on whether the request is simply forwared by the server , generated by the server or merely handled by name server software running on that server.If we create all rules for denied packets, Example :-


ipchains -A input -l -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY
ipchains -A output -l -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY
ipchains -A forward -l -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -j DENY

Then we can find the result at the log file by issuing the command

 "tail -f /var/log/messages"

Only after through reading the message at the log file we will be determine what needs to be allowed through the firewall .
The message may be look like as the following

Jun 12 00:12:46 server kernel: Packet log: input DENY eth0 
PROTO=6 10.202.179.4:20 5.6.7.8:61394
L=44 S=0x00 I=61949 F=0x4000 T=250 SYN (#28)

Now we will try to explain the message :-
The chain is the input chain and the action taken is DENY.The protocol is 6 (you can see it in "/etc/protocols" file, accroding to it it is TCP), the source IP was 10.202.179.4 ,port 20 ( accroding to "/etc/services" file it is ftp-data), and the destination was 10.202.179.103, port 61394 , which was blocked by the rule #28 in the input chain.
On the FTP terminal or on the FTP Client we will get an error that "remote directory listing not available".So for this purpose we have to allow the port 20 to 61000-65095,after this ftp will work properly.
There may be another problem if root runs SSH client to connect outwards, it may use port number 1000 or similar ,even with the local port specified.
Although we are using firewall but it is suggested that every one should avoid this things by not running them as root.

Here is a sample firewall code

#! /bin/sh

/sbin/depmod -a
/sbin/modprobe ip_masq_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1"> /proc/sys/net/ipv4/ip_always_defrag
/sbin/ipchains -L
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward DENY
/sbin/ipchains -A forward -i eth0 -s 192.168.1.201/24 -j MASQ

---------------  Another Sets of rules ----------------------

#! /bin/sh
/sbin/depmod -a
/sbin/modprobe ipchains
internet_interface = ppp0 / eth0 (we have to put any one of ppp0 -for modem  or eth0 -for ethernet connection )
internet_ip= 100.100.100.100
# Flash firewall rules
/sbin/ipchains -F

# Block forward chaining 
/sbin/ipchains -P forward DENY

# Block ssh sessions

/sbin/ipchains -A input -p tcp -d internet_ip 22 -j REJECT
/sbin/ipchains -A input -p udp -d internet_ip 22 -j REJECT
/sbin/ipchains -A input -s 0/0 -d 0/0 -i lo -j ACCEPT

# Accept DNS 

/sbin/ipchains -A input -s 202.54.9.1 53 -d 0/0 -p udp -j ACCEPT
/sbin/ipchains -A input -s 202.54.1.30 53 -d 0/0 -p udp -j ACCEPT

# disallow pinging

/sbin/ipchains -A input -p icmp -j DENY

# allow pinging of myself

/sbin/ipchains -A forward -p icmp -j DENY

# Block telnet from outer network

/sbin/ipchains -A input -i internet_interface -p tcp --dport 23 -j DENY

# Block telnet from internal network

/sbin/ipchains -A input -i eth0 -p tcp --dport 23 -j DENY

# Allow any outbound TCP and disallow inbound TCP

/sbin/ipchains -A input -p tcp --syn -j DENY

Dial in Server Setup
At first we have to install mgetty-1.1.21-2 from tar or rpm assume it is a rpm package then first issue the command

rpm -qa |grep mgetty (for finding if the package is already installed or not) Then we have to do some editing

/etc/inittab

S1:2345:respawn:/sbin/mgetty ttyS1
S0:2345:respawn:/sbin/mgetty ttyS1 38400 vt100
(Assuming that modem is at ttyS1 and mgetty at /sbin )
- /etc/ppp/options
  asyncmap 0
  netmask 255.255.255.0
  proxyarp
  lock
  crtscts
  modem
/etc/ppp/options.ttyS0
192.168.1.200:192.168.1.201
noauth
And another editing on /etc/mgetty+sendfax/login.config must be done.

Some Other Tips

We can got a lot of tips and tricks from "Securing and Optimizing Linux" which is available on-line and is an excellent resource to optimizing your GNU/Linux machine. Get it at www.linuxdoc.org.

While we are talking about optimizitation of Linux then we have to consider the Kernel compilation options, During compilation we can use - formit - frame - pointer , make dep , make zImage (or bzImage) and at last

Edit /usr/src/linux/Makefile ,replace make=make with make=make -j and uncomment #INSTALL_PATH=/boot by taking out #.

Disable TCP time strap
To disable window scaling
For page tuning
Change File Max

Enabled Service

Sendmail, httpd, crond, kudzu, mysql, portmap, postgresql, smb, snortd, webmin, inetd
(or xinetd) are all wonderful programs. If you are not using them, however, why should you be running them. As some one might have said, "RAM doesn't grow on trees!" Not just from an effective utilization point of view but alsofrom a security point of view, it is important to run only those services that you require.

On my system I run only gpm, network, syslog, ssh and xfs. I don't need any other service for my day-to-day work, and when I do need something I can always manually start the required dæmon using the init scripts.

(EX: #service httpd start (ENTER) -To start web server)

You too should select the services
according to your specific needs and on demand Service (start | stop | restart) is recommanded .

At this point, I would like to digress for a minute and talk about a wonderful program called nmap. According to its home page (www.insecure.org), nmap is a network scanner that informs the user what ports are open on a target machine. This information is very useful to find out all of the services that are running on a given machine. This test can be performed as follows:

[rohit@localhost rohit]$ nmap -p1-65535 20.19.66.20
Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ )
Interesting ports on localhost.localdomain (20.19.66.20):
(The 65492 ports scanned but not shown below are in state: closed)
---Edited version of the output due to space considerations--
Port State Service
... 514/tcp open shell
1025/tcp open listen
1099/tcp open unknown
1214/tcp open unknown

... Nmap lets you know all of the ports that are open, as well as what services are running
on those ports. There are certain services that it cannot identify; it marks
them unknown.

To find out what services are running on a particular port on the target machine, login
as root and type netstat.

[root@localhost /root]# netstat -anp|more
---Edited version of the output due to space considerations---
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Programname
....
tcp 0 0 20.19.66.20:8007 20.19.66.197:1060 CLOSE 1005/java
tcp 0 0 20.19.66.20:22 20.19.66.197:3768 ESTABLISHED 1381/sshd
tcp 0 0 20.19.66.20:23 192.168.57.146:1546 ESTABLISHED 1229/in.telnetd: 19
....

The last column of the output lists the name of the program as well as its PID. So if we
want to know what program is using port 1214 (which nmap marked as unknown) all we
have to do is

[root@localhost /root]# netstat -anp|grep 1214
tcp 0 0 0.0.0.0:1214 0.0.0.0:* LISTEN
22562/kza This tells me that the program named kazaa is listening on port 1214.
Using this data and the setup tool (as mentioned earlier), we turn off all the
unnecessary services. Those services like kazaa, which are not a part of the services
available, can be turned off with the kill command.

We can also use the ps command to get a listing of dæmons running on the system.
Daemons are typically not bound to any terminal. Using this information, we use the
following command to get a listing of dæmons on our server.
[root@tachyon root]# ps xc -u 0
---Edited version of the output due to space considerations---
PID TTY STAT TIME COMMAND
...
1475 ? S 0:02 sendmail
1498 ? S 0:04 gpm
16539 ? S 0:01 httpd
... The above-mentioned procedures give me a very good idea of the dæmons running on my machine. The ones I don't need can be turned off immediately. A simple way to turn off these services at startup is by using the setup command. On a Red Hat box, this can be done from the command prompt:

# setup -> Select System Services Option -> Selecting the Services Required.
Doing this ensures that only the services you select are the ones that start up when you boot the machine. You can also shut down various dæmons manually by using the init scripts.

The Stability of the Building Depends on its Foundation The same goes for a GNU/Linux box. A little planning before installation serves you well in the long run. A machine well-partitioned not only runs smoothly but also offers better security. I have seen administrators dump everything into one / partition. That,according to me, is a strict no-no. Whenever I install a machine, I usually go for /, /home, /var, /tmp and a swap partition. You can also have a /usr partition. I prefer bundling the / and /usr together, but you may beg to differ and do it your way.

Links Is my Navigator
When I surf the Web, I usually visit Slashdot, Freshmeat, Newsforge, Wired, CNet and Linux Journal. Most of these sites don't require JavaScript or plugins of any kind. I prefer using links to surf such sites. Links is a text-based browser that has support for tables, frames, colors and even for SSL. You can get links from artax.karlin.mff.cuni.cz/ mikulas/links/. Sites load faster as there are no images to display, and links is certainly not as memory-intensive as Netscape, Galeon or Konqueror.

How Many Virtual Consoles ?
Each and every virtual console you have eats up some system resources. If you are a X fanatic, I would say you don't need more than two. But if you do use virtual consoles a lot, I feel about four of them should be enough. For setting the number of virtual consoles you need, edit the file /etc/inittab and go to the part where it says # Run gettys in standard runlevels. It will probably have entries from tty1 to tty6. Depending on your needs, comment out the ones you don't require. My inittab reads as follows:
More on http://linuxperf.nl.linux.org/

About me

My profile

My links

My town

My picture

Contact me