sysctl tuning on Linux

While most Linux Kernels nowadays come with nice sysctl defaults, there’s always room for improvement. Some parameters can be used for performance tuning, others can be critical for security hardening.

What is sysctl?

sysctl is an interface to view and dynamically change parameters in Linux and other *NIX operating systems. In Linux, most of the dynamic Kernel settings can be changed via sysctl. The parameters set by sysctl are also available under the virtual /proc filesystem.

How do I use sysctl?

To read values you’ve two options:

# Option 1: Using the sysctl command to read current parameters:
sysctl net.ipv4.ip_forward          # display specific parameter
sysctl net.ipv4                     # display all net.ipv4.* parameters
sysctl -a                           # display all parameters

# Option 2: Using the /proc filesystem:
cat /proc/sys/net/ipv4/ip_forward

To write values you can use both options again:

# Option 1: Using the sysctl command to change a parameter:
sysctl net.ipv4.ip_forward=1

# Option 2: Using the /proc filesystem to change a parameter:
echo 1 >/proc/sys/net/ipv4/ip_forward

However, these parameters are not persistent. You’ve to configure them in /etc/sysctl.conf or /etc/sysctl.d/* if you want them active after a reboot.


Please note that configuration changes will not be detected automatically. You’ve to trigger the reload manually:

sysctl -p [filename]

Tuning Linux with sysctl


To automatically reboot a system after a kernel panic, you can set the following parameter to the amount of seconds to wait before reboot:

kernel.panic = 60

Linux Kernels provide a magic SysRq key, which allows the user to perform low-level commands regardless of the systems state. To enable this magic key you’ve to set:

kernel.sysrq = 1

To make sure core dumps will always be written set the following parameter:

fs.suid_dumpable = 2

It can be useful to have the PID appended on the filename of core dumps. This can be especially useful for debugging multi-threaded applications and it’s easy to setup:

kernel.core_uses_pid = 1

To increase the maximum number of used process IDs you can define the following parameter:

kernel.pid_max = 65536


To tune the memory (VM) behaviour in Linux, you can set some vm.* parameters.

For example to tell the Kernel how aggressively memory pages should be written to disk (aka swapping), you’ve to change the swappiness value. The higher the value, the more aggressive the swapping:


When you look at filesystems then most of the time some kind of cache is involved. The amount of filesystem cache is based on the percentage of total available memory. To set the maximum amount of filesystem cache can be defined with:

vm.dirty_ratio = 40

When the defined percentage of memory is reached, then all I/O writes are blocked until enough dirty pages have been flushed to disk by pdflush. This is quite suboptimal because on a healthy system you don’t want to have blocked I/O writes at all. Therefor there’s another parameter, which defines the minimal percentage of dirty memory before the background pdflush process starts to flush out dirty memory pages:

vm.dirty_background_ratio = 10

As already described before, pdflush is in charge of flushing dirty pages to disk. So you can optionally change the flush interval by setting the following parameter (in hundredths of seconds, e.g. 500 = 5s):

vm.dirty_writeback_centisecs = 500

Of course pdflush needs to know when data can be removed from cache. Sometimes it makes sense to increase the time how long “untouched” data lives be in the cache before it’s marked as expired. Just overwrite the following parameter (again in hundredths of seconds):

vm.dirty_expire_centiseconds = 3000

If you want to have more informations about the memory on your system, just have a look at:

cat /proc/meminfo


To increase the maximum amount of file descriptors you can use.

fs.file-max = 65535

Exec Shield

Exec Shield is a protection against worms and other automated remote attacks on Linux systems. It was invented by Red Hat in 2002. To enable Exec Shield:

kernel.exec-shield = 1
kernel.randomize_va_space = 1

Network Core

Some applications are configured for performance and sometimes an application can handle huge buffers. To increase the maximum buffer size for all sockets / connections (this will affect all buffers, e.g. net.ipv4.tcp_rmem) you can use:

net.core.rmem_max = 8388608
net.core.wmem_max = 8388608

When a system is under heavy load and an interface receives a lot of packets, then the Kernel might not process them fast enough. You can increase the number of packets hold in the queue (backlog) by changing:

net.core.netdev_max_backlog = 5000


First of all we recommend you tune ICMP a bit. You can do that by ignoring ICMP broadcasts, which will protect you from ICMP floods. We also ignore bogus responses to broadcast frames (violation against RFC1122), so that our log isn’t full of Kernel warnings:

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

SYN floods are a type of DDoS and can harm your system. To protect from it you should enable SYN cookies, resize the SYN backlog (queue size) and reduce SYN/ACK retries:

# Turn on SYN cookies to protect from SYN flood attacks.
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3

To log packets with impossible addresses simply enable:

net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

To disable IP source routing (SRR), so that nobody can tell us which path a packet should take:

net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route  = 0

By default, routers router everything and even packages which don’t belong to their network(s). To avoid that we’ve to make sure strict reverse path filtering is enabled as defined in RFC3704:

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

Some applications support higher read and write buffers for sockets. The buffer size parameters are defined by 3 values (min, default, max). To increase the maximum buffer set:

net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608

To get better throughput in a network, it might make sense to enable TCP window scaling as defined in RFC1323:

net.ipv4.tcp_window_scaling = 1

Disable (ICMP) redirects at all. Please note that the send_redirects parameters should be enabled on routers:

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0        # Don't disable this on routers!
net.ipv4.conf.default.send_redirects = 0    # Don't disable this on routers!

Finally disable IPv4 forwarding on non-routing systems:

net.ipv4.ip_forward = 0


Those who don’t use IPv6 at all should disable it:

net.ipv6.conf.all.disable_ipv6 = 1

If you’re already using IPv6 you might be interested in the following parameters.

On non-routing systems you should disable router solicitations:

net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.all.router_solicitations = 0

You should also don’t accept routing preferences from router advertisements:

net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 0

Don’t try to learn prefix information in router advertisements:

net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_ra_pinfo = 0

Don’t accept hop limits from router advertisements:

net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_defrtr = 0

Disable IPv6 auto configuration, so that no unicast addresses can automatically be configured on your interface from a router advertisement:

net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.all.autoconf = 0

If you don’t want your system to be verbose about its neighbours, you should disable neighbour solicitations at all:

net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.all.dad_transmits = 0

Unless you need more than one global unicast address, you should fix the number of assigned global unicast addresses per interface to 1:

net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.all.max_addresses = 1

.all & .default

A lot of sysctl parameters have several values, because there’s a .default, .all and sometimes even a .<interface> value. While the .<interface> value is obvious, you’ve to look closer on the other two.

According to a comment on the linux-kernel mailing list, there’s one major difference:

  • The default value will only be applied ONCE, at the point when an interface is created.
  • The all value will ALWAYS applied in addition.

This means when an interface is created, the default value will be applied to it once. However, you can overwrite that with the interface-specific parameter. The global .all parameter will always be applied in addition and in the end it depends of the logical operator how the “final value” looks like.

For example there are parameters where all settings need to be 1 (aka AND), where only one of the settings need to be 1 (aka OR) or where the highest value will be used (aka MAX).

So it’s important to know that existing interfaces might have a different value than the one you’ve set as default or all.

Where to find documentation?

IMHO the best documentation for sysctl is available directly in the Kernel docs. You can find them in the git repository. Just have a look at the Documentation/networking/ip-sysctl.txt and Documentation/filesystems/proc.txt files.

You can also have a look at the man pages on your Linux server. For example if you want to know more about the tcp settings you can run:

man -7 tcp


  • pj

    Really nicely done – thanks.

  • Kevin

    Goo Job Dude

  • MrDegenerateBeast

    Well defined, succint…thanks for this.

  • find a word

    The global .all parameter will always be applied in addition and in the end it depends of the logical operator how the “final value” looks lik

  • anvarol

    You have explained this thing well. Thank you!

  • beauty tutorials

    Thank you for explaining this! This really helped a lot

  • Prada Boots

    I’ve been looking for this since we started this subject. Thank you for sharing!

  • doula

    I need more information

  • t rex game

    I should express that I like this article so a ton and moreover using it in regular. I believe you would continue sharing better than average articles here.

  • Thumbtack

    Nice, Easy, and interesting tips. Thanks for sharing it here.

  • slab foundation

    Thanks to the author for coming up with this topic. This is excellent!

  • angies list

    Amazing explanation, am impressed to read that. Well done keep it up. l love to read more from you.

  • Homeadvisor

    Love this post so much!!

  • plaster walls

    This is my first time visit here. From the tons of comments on your articles,I guess I am not only one having all the enjoyment right here!

  • Thumbtack

    If you set out to make me think today; mission accomplished! I really like your writing style and how you express your ideas. Thank you.

  • foundation repair

    This would really mean a lot. Thanks for sharing this one out.

  • drywall repair

    I read that Post and got it fine and informative.

  • our site

    I’m impressed by how you present the article.

  • visit us

    I agree with this post. Thanks for sharing like this!

  • Homeadvisor

    Excellent website you have here, so much cool information!..