14.11. Tuning Linux

In this section, I will sum up all previous sections concerning configuring Linux and its services for secure and efficient operation. I will also consider several other, more sophisticated techniques for making your system more secure and productive.

I already stated that the best way to enhance security and efficiency is to load only the most necessary programs and services. The more services loaded, the more memory and processor resources consumed.

After you have decided on the services to use and cut their number to the minimum, you have to configure each of these services for maximum productivity. The minimization principle applies here. For example, the Apache service loads lots of modules that most sites do not need. Each unnecessary module is a blow to security and efficiency.

Minimizing the number of modules for each service allows the greatest performance to be achieved. This said, consider how you can fine-tune your system.

14.11.1. Kernel Parameters

Start by opening the /etc/sysctl.conf file, which stores the kernel parameters. Listing 14.1 shows an example of the file's contents.

Listing 14.1: The contents of the /etc/sysctl.conf configuration file

 # Kernel sysctl configuration file for Red Hat Linux. # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) for # more details. # Controls IP packet forwarding. net.ipv4.ip_forward = 0 # Controls source route verification. net.ipv4.conf.default.rp_fliter = 1 kernel.sysrq = 1 kernel.core_uses_pid = 1 #net.ipv4.tcp_ecn  =  0 kernel.grsecurity.fifo_restrictions = 1 kernel.grsecurity.linking_restrictions = 1 # Audit some operations. kernel.grsecurity.audit_mount=1 kernel.grsecurity.signal_logging=1 #kernel.grsecurity.suid_logging=1 kernel.grsecurity.timechange_logging=l kernel.grsecurity.forkfail_logging=1 kernel.grsecurity.coredump = 1 # Lock all security options. #kernel.grsecurity.grsec_lock = 1

I'll consider the function of the parameters saved in the file, using as an example the net.ipv4.tcp_ecn parameter. This is a path , relative to the /proc/sys directory, to the tcp_ecn file, namely: /proc/sys/net/ipv4/tcp_ecn. Execute the following command to view the contents of the file:

 cat /proc/sys/net/ipv4/tcp_ecn

The system will display 0 or 1, which is the value of this parameter.

You can change the value manually, but it's more convenient to do this by executing the following command:

 sysctl -w paramater_name = new_value

The same command can be used to view the value of the kernel parameter:

 sysctl parameter_name

For example, the value of the net.ipv4.tcp_ecn parameter, which is stored in the /proc/sys/net/ipv4/tcp_ecn file, is displayed as follows :

 sysctl net.ipv4.tcp_ecn

The values of most parameters are Boolean, meaning they can be either 0 (disabled) or 1 (enabled).

The following are the parameters that should be changed. If they are not in the sysctl.conf file, they should be added to it.

net.ipv4.icmp_echo_ignore_broadcasts When this parameter is enabled, the system ignores broadcast ICMP echo packets.
net.ipv4.icmp_echo_ignore_all When this parameter is enabled, all ICMP echo packets are ignored. You can use this parameter if you don't want to fool around with the firewall. Prohibiting echo-request packets reduces the traffic, albeit not by much, and makes ineffective any attacks based on using ping packets.
net.ipv4.conf.*.accept_redirects This parameter controls accepting router-redirection messages. (I covered this subject in Section 14.5.3 , saying that enabling router redirections is dangerous because this gives hackers a chance to fool the router and monitor the target machine's traffic.)

The asterisk character is a wild card and stands for any directory name . There can be several subdirectories in the net/ipv4/conf directory, one for each network interface. There should be at least four such subdirectories in your system:

all Contains configuration files for all interfaces
default Holds the default values
eth0 Holds configuration files for the first network card
lo Holds configuration files for the loopback interface

The asterisk indicates that the parameter must be set for all interfaces whose parameter files are stored in the subdirectories of the net/ipv4/conf directory. In most cases, the all directory can be substituted for the asterisk, but sometimes all existing subdirectories have to be specified.

net.ipv4.conf.*.secure_redirects When set, this enables ICMP redirect messages to be accepted only for gateways listed in the default gateway list. It is advisable to enable this parameter only if there is more than one router in your network; otherwise , it should be disabled.
net.ipv4.conf.*.send_redirects This parameter allows a computer acting as a router to send ICMP redirect messages to other hosts . If there is more than one router in the network, it is advisable to enable this parameter, so that you can distribute the workload among the routers and not try to route all traffic through the main gateway.
net.ipv4.conf.*.accept_source_route This parameter controls whether source-routed packages should be accepted or declined. I already mentioned that such packets can be used to bypass your firewall; thus, you should disable this parameter.
net.ip_always_defrag When set, all incoming packets are defragmented. I already explained how the firewall can be bypassed using fragmented packets. It just happens that the firewall checks only the first fragment of the packet and considers the rest of the fragments allowed if the first one passes the check. When this parameter is set, all incoming packets are defragmented, thus making bypassing the firewall using this method impossible .
net.ipv4.ipfrag_low_thresh This specifies the minimum amount of memory allocated to reassemble fragmented packets. The higher this value, the fewer memory-allocation manipulations necessary. The default value is 196608. Setting this parameter too high will cause extra memory to be allocated and may result in the server running out of resources for processing data. It is advisable to leave the default value.
net.ipv4.ipfrag_high_thresh This specifies the maximum amount of memory allocated to reassemble fragmented IP packets. The default value is 262144. If this value is exceeded, the operating system starts tossing out incoming fragmented packets. In this way, a server can be flooded with trashy fragmented messages causing it to no longer react to fragmented packets.
net.ipv4.ipfrag_time This indicates the time in seconds to keep an IP packet fragment in memory. The default value is 30 seconds. This is too much, because during this time hackers can flood the entire cache. In case of an attack on the system, the value should be lowered to 20 or even 10 seconds.
net.ipv4.tcp_syncookies This controls whether to send out SYN cookies when the SYN queue of a socket overflows. It is advisable to enable this parameter to ward off SYN flood attacks.

These are some of the main kernel parameters. There are too many of them for each to be considered in this book. I advise you to consult the pertinent documentation for information on parameters not included in the preceding overview.

14.11.2. Tuning the Hard Disk Drive

For a long time, Direct Memory Access (DMA) support for hard-drive access was disabled in Linux, although almost all motherboards have had this support since the first Pentium processors. The operating system had DMA disabled by default to be compatible with older computers, so this feature had to be enabled manually.

In modern distributions, DMA support is enabled by default, but it is still possible to optimize the hard drive for more efficient operation. The hdparm utility is used for testing and configuring hard drive in Linux. The hard drive speed can be tested by executing the command with the -t option:

 hdparm -t /dev/hda

The program will display a message of the following type:

 Timing buffered disk reads: 64 MB in 3.02 seconds = 21.19 MB/sec

To display the parameters of the hard drive, the partition is specified as the parameter:

 hdparm /dev/hda2

The results produced look similar to the following:

 /dev/hda2:  multcount    = 128 (on)  IO_support   =  0 (default 16-bit)  unmaskirq    =  0 (off)  using_dma    =  1 (on)   keepsettings =  0 (off)  readonly     =  0 (off)  readahead    =  8 (on)  geometry     = 2088/255/63, sectors = 32515560, start = 1028160

The most interesting parameters are the following:

multcount The number of words read in one cycle. This parameter must be enabled, and it advisable to set its value to 128. Doing this can raise the efficiency 30% to 50%. The value is changed using the mX option, where X is the new value.
using_dma DMA use. The DMA mode is enabled by using the d1 option.
IO_support The drive access mode. The default can be the 16-bit mode, but currently the 32-bit mode can be used. This mode can be enabled by the c3 option.

The preceding three parameters can really enhance hard drive efficiency. To set them to the recommended values, execute the following command:

 hdparm -m128d1c3/dev/hda

As you can see, I simply listed all necessary keys and specified the disk, to which they apply. Note that there are no digits, for example, hda1 , in the disk name. Digits used with a disk name specify a disk partition, but access can only be changed for the whole disk and not its individual partitions.

The modified parameters have to be saved as follows:

 hdparm -k1 /dev/hda

Now, execute the disk read speed-testing command: dhparm -t /dev/hda .

In addition to the parameters displayed by the hdparm /dev/hda2 command, there is also the access mode parameter. Currently, three Advanced Technology Attachment (ATA) modes are supported: 33, 66, and 100. Consult your hard drive manual for information about which access mode it supports.

The access mode is changed using the X option as follows:

X34 Corresponds to ATA33
X68 Corresponds to ATA66
X69 Corresponds to ATA100

For example, ATA66 is enabled by the following command:

 hdparm -X68/dev/hda

As strange as it may sound, the parameters you set are lost on reboot. To make them permanent, the commands setting them should be saved in the /etc/rc.d/rc.local file. Add the following commands at the end of the file:

 hdparm -m128d1c3/dev/hda hdparm -X68/dev/hda hdparm -k1 /dev/hda

14.11.3. Automount

If your exposure to the world of computers started with Windows, you may find having to mount file systems and especially CD-ROMs manually absurd. Although this can be lived with on servers, because discs are seldom used there, on workstations this becomes a real pain in the neck, because CD-ROMs and diskettes are used quite extensively on them. I sometimes have to change up to 20 different discs a day, and I quickly tire of having to mount and unmount them.

Because Linux is striving to move in to the home computer area, its latest distributions include the default automatic mounting option. This is done with the help of the autofs service. Check that this service runs on start-up; if it does, you can start configuring it.

The service's main configuration file is /etc/auto.master. The following are its contents:

 # $Id: auto.master,v 1.2 1997/10/06 21:52:03 hpa Exp $ # Sample auto.master file # Format of this file: # mountpoint map options # For details of the format, look at autofs(8). /misc  /etc/auto, misc     --timeout=60

Only the last entry in the file is supposed to do something, the rest are only explanatory comments. This entry may be commented out in your system; uncomment it to use the automatic mounting feature.

The configuration entry has the following format:

 mountpoint  map      options

In this case, mountpoint is the /misc directory. This circumstance is somewhat of a problem, because the /mnt directory is the default directory for mounting devices manually. The second parameter specifies the mount map. In this case, it is the /etc/auto.misc file. The file's format and function are similar to those of the /etc/fstab file used for the mount command. Listing 14.2 shows the contents of the /etc/auto.misc file.

Listing 14.2: The contents of the /etc/auto.misc file

 # $Id: auto.misc,v 1.2 1997/10/06 21:52:04 hpa Exp $ # This is an automounter map, and it has the following format: # key [ -mount-options-separated-by-comma ] location # Details may be found in the autofs(5) manpage. cd            -fstype=iso9660,ro,nosuid,nodev     :/dev/cdrom # The following entries are samples to pique your imagination. #linux        -ro,soft,intr        ftp.example.org:/pub/linux #boot         -fstype=ext2                        :/dev/hdal #floppy       -fstype=auto                        :/dev/fd0 #floppy       -fstype=ext2                        :/dev/fd0 #e2floppy     -fstype=ext2                        :/dev/fd0 #jaz          -fstype=ext2                        :/dev/sdcl #removable    -fstype=ext2                        :/dev/hdd

The last parameter, --timeout=60 , is the idleness period. If during this period there is no activity in the directory, into which the device is mounted, the device is unmounted. The default timeout value is 60 seconds. In most cases, this is an acceptable value.

There is only one entry not commented out in the /etc/auto.misc file. This entry mounts the CD-ROM:

 cd     -fstype=iso9660,ro,nosuid,nodev   :/dev/cdrom

The first parameter in the command specifies the subdirectory in the /misc directory, into which the device will be mounted. The second parameter specifies the parameters of file system of the device to be mounted and the options to be used for mounting. For a CD-ROM, the iso9660 file system is used; the file system is mounted for read only, and SUID and DEV are prohibited . The last parameter specifies the device to be mounted.

As you can see, everything is simple. If an attempt is made to access the /misc/cd directory and there is a disc in the CD-ROM at the moment, it will be automatically mounted. There is one idiosyncrasy when working with file systems mounted automatically: Linux command line commands should be used. For example, to view the directory, execute the ls/misc/cd command. If you try to view the /misc/cd directory using Midnight Commander, the program will not see the automounted disc.