Website Hardening

Some notes that we can think of fine tuning to keep our website faster or more reliable:

1:

The availability kernel sockets:

Linux Increase Local Port Range with net.ipv4.ip_local_port_range

If your Linux server is opening lots of outgoing network connection, you need to increase local port range. By default range is small. For example squid proxy server can come under fire if it runs out of ports.

You can use sysctl command to to modify kernel parameters at runtime. The parameters available are those listed under /proc/sys/. Please note that this hack is only useful for high bandwidth, busy Linux servers or large scale grid servers.

Set new local port range:
# echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range
Or:
$ sudo sysctl -w net.ipv4.ip_local_port_range="1024 64000"

or edit : " /etc/sysctl.conf" file:

# increase system IP port limits
net.ipv4.ip_local_port_range = 1024 65535

You must restart your network for the change to take effect.


2:

Better manage your TCP/IP resources

This hack just make the time default values for TCP/IP connection lower so that more connections can be handled by time on your TCP/IP protocol. The following will decrease the amount of time your Linux box will try take to finish closing a connection and the amount of time before it will kill a stale connection. This will also turn off some IP extensions that aren't needed. The default setup for the TCP/IP parameters we'll change under Red Hat Linux are:

    For the tcp_fin_timeout 180

    For the tcp_keepalive_time 7200

    For the tcp_window_scaling 1

    For the tcp_sack 1

    For the tcp_timestamps 1

To adjust the new TCP/IP values, type the following commands on your terminal:

 Edit the /etc/sysctl.conf file and add the following lines:
             # Decrease the time default value for tcp_fin_timeout connection
             net.ipv4.tcp_fin_timeout = 30
             # Decrease the time default value for tcp_keepalive_time connection
             net.ipv4.tcp_keepalive_time = 1800
             # Turn off the tcp_window_scaling
             net.ipv4.tcp_window_scaling = 0
             # Turn off the tcp_sack
             net.ipv4.tcp_sack = 0
             # Turn off the tcp_timestamps
             net.ipv4.tcp_timestamps = 0

You must restart your network for the change to take effect.           
            










Ref Links:

http://www.cyberciti.biz/tips/linux-increase-outgoing-network-sockets-range.html

http://www.faqs.org/docs/securing/chap6sec75.html