Category Archives: tuning

TUNING SERVICE & SYSCTRL


 

RedHat / Centos minimal services

I always disable most of the services witch are activated by a default Centos 5.3 instalation.

To disable them, run the following commands:

chkconfig anacron off

chkconfig apmd off

chkconfig atd off

chkconfig autofs off

chkconfig cpuspeed off

chkconfig cups off

chkconfig cups-config-daemon off

chkconfig gpm off

chkconfig isdn off

chkconfig netfs off

chkconfig nfslock off

chkconfig openibd off

chkconfig pcmcia off

chkconfig portmap off

chkconfig rawdevices off

chkconfig readahead_early off

chkconfig rpcgssd off

chkconfig rpcidmapd off

chkconfig smartd off

chkconfig xfs off

chkconfig ip6tables off

chkconfig avahi-daemon off

chkconfig firstboot off

chkconfig yum-updatesd off

chkconfig mcstrans off

chkconfig pcscd off

chkconfig bluetooth off

chkconfig hidd off

And you might consider disable this:

chkconfig sendmail off

chkconfig xinetd off

chkconfig acpid off

chkconfig microcode_ctl off

chkconfig irqbalance off

chkconfig haldaemon off

chkconfig messagebus off

chkconfig mdmonitor off

 

 

 

 

 

 

 

anacron

Is this a machine which is designed to run all the time, such as a server or a workstation which is left on at night? If so:
# yum erase anacron

The anacron subsystem is designed to provide cron functionality for machines which may be shut down during the normal times that system cron jobs run, frequently in the middle of the night. Laptops and workstations which are shut down at night should keep anacron enabled, so that standard system cron jobs will run when the machine boots.

However, on machines which do not need this additional functionality, anacron represents another piece of privileged software which could contain vulnerabilities. Therefore, it should be removed when possible to reduce system risk.

apmd – Advanced Power Management Subsystem

If the system is capable of ACPI support, or if power management is not necessary, disable this service:
# chkconfig apmd off

APM is being replaced by ACPI and should be considered deprecated. As such, it can be disabled if ACPI is sup- ported by your hardware and kernel. If the file /proc/acpi/info exists and contains ACPI version information, then APM can safely be disabled without loss of functionality.

autofs – Automounter

If the autofs service is not needed to dynamically mount NFS filesystems or removable media, disable the service:
# chkconfig autofs off

The autofs daemon mounts and unmounts filesystems, such as user home directories shared via NFS, on demand. In addition, autofs can be used to handle removable media, and the default configuration provides the cdrom device as /misc/cd. However, this method of providing access to removable media is not common, so autofs can almost always be disabled if NFS is not in use.

Even if NFS is required, it is almost always possible to configure filesystem mounts statically by editing /etc/ fstab rather than relying on the automounter.

avahi-daemon

The Avahi daemon implements the DNS Service Discovery and Multicast DNS protocols, which provide service and host discovery on a network. It allows a system to automatically identify resources on the network, such as printers or web servers. This capability is also known as mDNSresponder and is a major part of Zeroconf networking. By default, it is enabled.

Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Disabling it is particularly important to reduce the system’s vulnerability to such attacks.

Edit the files /etc/sysconfig/iptables and /etc/sysconfig/ip6tables (if IPv6 is in use). In each file, locate and delete the line:
-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT

By default, inbound connections to Avahi’s port are allowed. If the Avahi server is not being used, this exception should be removed from the firewall configuration. See Section 2.5.5 for more information about the Iptables firewall.

bluetooth and hidd

If the system requires no Bluetooth devices, disable this service
# chkconfig bluetooth off

If the system has no Bluetooth input devices (e.g. keyboard or mouse), disable this service:
# chkconfig hidd off

Add the following to /etc/modprobe.conf to prevent the loading of the Bluetooth module:
alias net-pf-31 off

cups and cupsd

Do you need the ability to print from this machine or to allow others to print to it? If not:
# chkconfig cups off

firstboot – Installation Helper Service

Firstboot is a daemon specific to the Red Hat installation process. It handles “one-time” configuration following successful installation of the operating system. As such, there is no reason for this service to remain enabled.

Disable firstboot by issuing the command:
# chkconfig firstboot off

gpm – Console Mouse Service

GPM is the service that controls the text console mouse pointer. (The X Windows mouse pointer is unaffected by this service.)

If mouse functionality in the console is not required, disable this service:
# chkconfig gpm off

Although it is preferable to run as few services as possible, the console mouse pointer can be useful for preventing administrator mistakes in runlevel 3 by enabling copy-and-paste operations.

haldaemon – HAL Daemon

The haldaemon service provides a dynamic way of managing device interfaces. It automates device configuration
and provides an API for making devices accessible to applications through the D-Bus interface.

HAL provides valuable attack surfaces to attackers as an intermediary to privileged operations and should be disabled unless necessary:
# chkconfig haldaemon off

hplip – The HP Linux Imaging and Printing (HPLIP) Toolkit

The HPLIP package is an HP printing support utility that is installed and enabled in a default installation. The HPLIP package is comprised of two separate components. The first is the main HPLIP service and the second is a smaller subcomponent called HPIJS. HPLIP is a feature-oriented network service that provides higher level printing support (such as bi-directional I/O, scanning, photo card, and toolbox functionality). HPIJS is a lower level basic printing driver that provides basic support for non-PostScript HP printers.

Since the HPIJS driver will still function without the added HPLIP service, HPLIP should be disabled unless the specific higher level functions that HPLIP provides are needed by a non-PostScript HP printer on the system.
# chkconfig hplip off

isdn – ISDN Support

The ISDN service facilitates Internet connectivity in the presence of an ISDN modem.

If an ISDN modem is not being used, disable this service:
# chkconfig isdn off

kdump – Kdump Kernel Crash Analyzer

Kdump is a new kernel crash dump analyzer. It uses kexec to boot a secondary kernel (“capture” kernel) following a system crash. The kernel dump from the system crash is loaded into the capture kernel for analysis.

Unless the system is used for kernel development or testing, disable the service:
# chkconfig kdump off

kudzu – Kudzu Hardware Probing Utility

Is there a mission-critical reason for console users to add new hardware to the system? If not:
# chkconfig kudzu off

Kudzu, Red Hat’s hardware detection program, represents an unnecessary security risk as it allows unprivileged users to perform hardware configuration without authorization. Unless this specific functionality is required, Kudzu should be disabled.

mcstrans – MCS Translation Service

Unless there is some overriding need for the convenience of category label translation, disable the MCS translation service:
# chkconfig mcstrans off

The mcstransd daemon provides the category label translation information defined in /etc/selinux/targeted/setrans.conf to client processes which request this information.
Category labelling is unlikely to be used except in sites with special requirements. Therefore, it should be disabled in order to reduce the amount of potentially vulnerable code running on the system. See Section 2.4.6 for more information about systems which use category labelling.

mdmonitor – Software RAID Monitor

The mdmonitor service is used for monitoring a software RAID (hardware RAID setups do not use this service). This service is extraneous unless software RAID is in use (which is not common).

If software RAID monitoring is not required, disable this service:
# chkconfig mdmonitor off

messagebus – D-Bus IPC Service

D-Bus is an IPC mechanism that provides a common channel for inter-process communication.

If no services which require D-Bus are in use, disable this service:
# chkconfig messagebus off

A number of default services make use of D-Bus, including X Windows, Bluetooth and Avahi. We recommends that D-Bus and all its dependencies be disabled unless there is a mission-critical need for them.

Stricter configuration of D-Bus is possible and documented in the man page dbus-daemon. D-Bus maintains two separate configuration files, located in /etc/dbus-1/, one for system-specific configuration and the other for session-specific configuration.

microcode ctl – IA32 Microcode Utility

microcode ctl is a microcode utility for use with Intel IA32 processors (Pentium Pro, PII, Celeron, PIII, Xeon, Pentium 4, etc)

If the system is not running an Intel IA32 processor, disable this service:
# chkconfig microcode ctl off

Disable All NFS Services if Possible (nfslock, rpcgssd, rpcidmapd, netfs)

If NFS is not needed, perform the following steps to disable NFS client daemons:
# chkconfig nfslock off
# chkconfig rpcgssd off
# chkconfig rpcidmapd off

The nfslock, rpcgssd, and rpcidmapd daemons all perform NFS client functions.

All of these daemons run with elevated privileges, and many listen for network connections. If they are not needed, they should be disabled to improve system security posture.

Determine whether any network filesystems handled by netfs are mounted on this system:
# mount -t nfs,nfs4,smbfs,cifs,ncpfs

If this command returns no output, disable netfs to improve system security:
# chkconfig netfs off

The netfs script manages the boot-time mounting of several types of networked filesystems, of which NFS and Samba are the most common. If these filesystem types are not in use, the script can be disabled, protecting the system somewhat against accidental or malicious changes to /etc/fstab and against flaws in the netfs script itself.

pcscd – Smart Card Support

If Smart Cards are not in use on the system, disable this service:
# chkconfig pcscd off

portmap – RPC Portmapper

If:

  • NFS is not needed
  • The site does not rely on NIS for authentication information, and
  • The machine does not run any other RPC-based service

then disable the RPC portmapper service:
# chkconfig portmap off

By design, the RPC model does not require particular services to listen on fixed ports, but instead uses a daemon, portmap, to tell prospective clients which ports to use to contact the services they are trying to reach. This model weakens system security by introducing another privileged daemon which may be directly attacked, and is unnecessary because RPC was never adopted by enough services to risk using up all the ports on a system.

Unfortunately, the portmapper is central to RPC design, so it cannot be disabled if your site is using any RPC- based services, including NFS, NIS, or any third-party or custom RPC-based program. If none of these programs are in use, however, portmap should be disabled to improve system security.

In order to get more information about whether portmap may be disabled on a given host, query the local portmapper using the command:
# rpcinfo -p

If the only services listed are portmapper and status, it is safe to disable the portmapper. If other services are listed and your site is not running NFS or NIS, investigate these services and disable them if possible.

readahead early/readahead later – Boot Caching

The following services provide one-time caching of files belonging to some boot services, with the goal of allowing the system to boot faster.

It is recommended that this service be disabled on most machines:
# chkconfig readahead early off
# chkconfig readahead later off

The readahead services do not substantially increase a system’s risk exposure, but they also do not provide great benefit. Unless the system is running a specialized application for which the file caching substantially improves system boot time, this guide recommends disabling the services.

rhnsd

The rhnsd daemon polls the Red Hat Network web site for scheduled actions. Unless it is actually necessary to schedule updates remotely through the RHN website, it is recommended that the service be disabled.
# chkconfig rhnsd off

The rhnsd daemon is enabled by default, but until the system has been registered with the Red Hat Network, it will not run. However, once the registration process is complete, the rhnsd daemon will run in the background and periodically call the rhn check utility. It is the rhn check utility that communicates with the Red Hat Network web site.

This utility is not required for the system to be able to access and install system updates. Once the system has been registered, either use the provided yum-updatesd service or create a cron job to automatically apply updates.

setroubleshoot

Is there a mission-critical reason to allow users to view SELinux denial information using the sealert GUI? If not, disable the service and remove the RPM:
# chkconfig setroubleshoot off
# yum erase setroubleshoot

The setroubleshoot service is a facility for notifying the desktop user of SELinux denials in a user-friendly fashion. SELinux errors may provide important information about intrusion attempts in progress, or may give information about SELinux configuration problems which are preventing correct system operation. In order to maintain a secure and usable SELinux installation, error logging and notification is necessary.

However, setroubleshoot is a service which has complex functionality, which runs a daemon and uses IPC to distribute information which may be sensitive, or even to allow users to modify SELinux settings, and which does not yet implement real authentication mechanisms. This guide recommends disabling setroubleshoot and using the kernel audit functionality to monitor SELinux’s behavior.

In addition, since setroubleshoot automatically runs client-side code whenever a denial occurs, regardless of whether the setroubleshootd daemon is running, it is recommended that the program be removed entirely unless it is needed.

xfs – X Font Server

Disable the xfs helper service:
# chkconfig xfs off

The system’s X.org requires the X Font Server service (xfs) to function. The xfs service will be started auto- matically if X.org is activated via startx. Therefore, it is safe to prevent xfs from starting at boot when X is disabled, even if users are allowed to run X manually.

yum-updatesd

Disable the yum-updatesd service:
# chkconfig yum-updatesd off

Create the file yum.cron, make it executable, and place it in /etc/cron.daily:
#!/bin/sh
/usr/bin/yum -R 120 -e 0 -d 0 -y update yum
/usr/bin/yum -R 10 -e 0 -d 0 -y update

This particular script instructs yum to update any packages it finds. Placing the script in /etc/cron.daily ensures its daily execution. To only apply updates once a week, place the script in /etc/cron.weekly instead.

 

# Kernel tuning settings for CentOS5,

# busy webserver with lots of free memory.

 

# Big queue for the network device

net.core.netdev_max_backlog=30000

 

# Lots of local ports for connections

net.ipv4.tcp_max_tw_buckets=2000000

 

# Bump up send/receive buffer sizes

net.core.rmem_default=262141

net.core.wmem_default=262141

net.core.rmem_max=262141

net.core.wmem_max=262141

 

# Disable TCP selective acknowledgements

net.ipv4.tcp_sack=0

net.ipv4.tcp_dsack=0

 

# Decrease the amount of time we spend

# trying to maintain connections

net.ipv4.tcp_retries2=5

net.ipv4.tcp_fin_timeout=60

net.ipv4.tcp_keepalive_time=120

net.ipv4.tcp_keepalive_intvl=30

net.ipv4.tcp_keepalive_probes=3

 

# Increase the number of incoming connections

# that can queue up before dropping

net.core.somaxconn=256

 

# Increase option memory buffers

net.core.optmem_max=20480

There are plenty of other sysctl options to tune, but the above made the most difference.

And netstat -s is your friend.

 

10 Tips Instalasi Server Linux agar Memiliki Performa yang Bagus


Ada beberapa pertimbangan yang patut diperhatikan jika ingin melakukan instalasi Linux yang memiliki kualifikasi High Performance, antara lain :

  1. Processor
    Processor sebaiknya 64 bit dan mampu mendukung Virtualization Tecnology, apalagi jika ditujukan untuk keperluan server virtualisasi/cloud computing.
    Disable hyper-threading. Jika CPU memuat pilihan Hyper-threading, disable pilihan ini.
  2. RAM
    Gunakan RAM yang mencukupi agar tidak terjadi penggunaan disk untuk swap. Penggunaan swap bisa dicheck dengan perintah free -m sedangkan untuk disable dapat dilakukan dengan menambahkan pilihan vm.swappiness=0 pada file /etc/sysctl.confDisable swap akan mempercepat proses karena semua perhitungan dilakukan melalui memory, namun HANYA disable swap jika jumlah memory mencukupi. Jika tidak, ada kemungkinan server hang akibat memory yang tidak mencukupi
  3. Disk
    • Jangan gunakan RAID 5. RAID 5 memang menyediakan kapasitas lebih besar namun menurunkan IO performance.
    • Jangan menggunakan NFS protokol sebagai penyimpanan data
    • Jangan menggunakan harddisk SATA karena meski menyediakan kapasitas lebih besar, kecepatannya kalah dengan harddisk SCSI dan SAS
    • Gunakan harddisk lebih kecil namun lebih banyak. Harddisk 2 x 147 GB akan lebih bagus performanya dibandingkan harddisk 1 x 300 GB
    • Gunakan SAN (Storage Area Network) dengan ukuran cache yang besar untuk penyimpanan data
    • Jika mendukung, gunakan NVRAM. NVRAM atau non-volatile RAM mempercepat proses penulisan data
    • Jangan menggunakan Drive Caches. Disable pilihan ini karena dapat menyebabkan data hilang dan tidak bisa direcovery jika terjadi mati listrik secara mendadak.
  4. Instalasi Minimal. Jika tidak memerlukan aplikasi GUI tertentu, install sistem secara minimalis. Beberapa distro Linux menyediakan tipe instalasi JeOS (Just Enough Operating System) yang sangat minimalis.
  5. Instalasi Appliance. Beberapa sistem bisa dijalankan secara virtual dan sudah tersedia aplikasi minimalis untuk itu, misalnya khusus LAMP Server, khusus minimal dll. Kita hanya perlu melakukan deployment dan mengaktifkannya
  6. Services
    Gunakan perintah chkconfig –list | grep on untuk menampilkan semua service yang sedang berjalan. Pastikan tidak ada service berjalan yang sebenarnya tidak digunakan dengan perintah ps -ef
    Beberapa service yang bisa didisable :

    Beberapa perintah untuk check services :

    lsof: Untuk check file dan koneksi network yang sedang dipergunakan
    tcpdump: Sniff network traffic.
    iostat: Monitor IO statistics
    vmstat: Monitor penggunaan CPU/memory
    `
    Apa saja service yang tidak dipakai ? Tentu mesti disesuaikan dengan kebutuhan tapi list berikut mungkin bisa membantu :aaeventd : Kalau tidak pernah menggunakan AppArmor, disable saja. Jika disable service ini, disable juga service boot.apparmor
    acpid : biarkan
    alsasound : biarkan
    atd : disable
    auditd : disable
    autofs : disable
    autoyast : disable
    cron : biarkan
    cups : jika ada printer, biarkan. Jika tidak, disable)
    cupsrenice : sesuai setting cups
    dbus : biarkan
    earlykbd : biarkan, ini untuk keyboard, kecuali kamu nggak mau pakai keyboard, hehehe…)
    earlykdm : biarkan
    earlysyslog : biarkan
    esound : disable
    fam : disable
    fbset : disable
    gpm : disable
    gssd : disable
    haldaemon : biarkan
    idmapd : disable
    joystick : disable (kecuali memakainya untuk games yang membutuhkan joystick)
    kbd : biarkan (ini juga service untuk keyboard)
    ksysguardd : disable
    lirc : disable
    lm_sencors : disable
    mdadmd : disable
    mdnsd : disable
    mircocode (Jika menggunakan processor AMD CPU disable, biarkan jika menggunakan processor intel)
    network : biarkan
    nfs : disable (Lakukan disable service portmap terlebih dahulu)
    nfsboot : disable
    nfsserver : disable
    nmb : disable
    novell-zmd : disable
    nscd : disable
    ntp : disable
    openct : disable
    pscsd : disable
    portmap : disable
    postfix : disable, kecuali pakai mail server
    powerd : disable
    pwersaved : disable, kecuali butuh untuk suspend komputer
    random : biarkan
    raw : disable
    resmgr : biarkan
    rpasswdd : disable
    running-kernel : disable, ini bukan si kernelnya melainkan pilihan untuk switch
    saslauthd : disable
    smb : disable
    smbfs : disable
    smpppd : disable
    spamd : disable
    splash : biarkan
    splash_early : biarkan
    SuSEfirewall2_setup : biarkan
    svcgssd : disable
    syslog : biarkan
    xdm : biarkan
    xfs : disable
    xinetd : disable
    ybind : disable
  7. File Descriptors Limit. Jika menggunakan file yang cukup banyak, check file /etc/security/limits untuk mengecek maksimum jumlah file yang bisa dibuka secara bersamaan. Jika jumlah file yang diproses tidak mencukupi, server bisa hang. Dalam kondisi normal, batasan ini sudah mencukupi namun untuk server-server yang melakukan proses index dan search, hal ini bisa menyebabkan perbedaan yang signifikan
  8. File System
    Gunakan tipe partisi ext3 atau ext4 untuk performance
    Mount file sistem dengan opsi noatime. Opsi ini akan mengurangi proses penulisan pada disk subsystem
    Tambahkan pilihan pada /etc/fstab
    Untuk Ext3 : natime, nodiratime, barrier = 1
    Untuk XFS : noatime, nodiratime
    Untuk ReiserFS : notail, noatime, nodiratime, barrier = flush
  9. Edit Inittab
    Lihat bagian berikut :
    # getty-programs for the normal runlevels
    # ::: # The “id” field MUST be the same as the last
    # characters of the device (after “tty”).
    1:2345:respawn:/sbin/mingetty –noclear tty1
    2:2345:respawn:/sbin/mingetty tty2
    3:2345:respawn:/sbin/mingetty tty3
    4:2345:respawn:/sbin/mingetty tty4
    5:2345:respawn:/sbin/mingetty tty5
    6:2345:respawn:/sbin/mingetty tty6
    Non aktif pada tty3 dan seterusnya dengan memberi tanda # didepan pilihan, kecuali port tersebut memang benar-benar dipakai. Tty adalah port yang menyediakan akses konsole yang bisa dijalankan dengan menekan tombol ALT+F2 s/d ALT+F6. Feature ini bermanfaat kalau kita menggunakan akses multi terminal atau untuk keperluan check sistem, namun frekuensi pemakaiannya biasanya jarang
  10. Port. Buka port yang digunakan saja, terutama untuk akses dari luar sistem. Jangan aktifkan service yang tidak dibutuhkan dan jangan open port yang tidak ditujukan untuk konsumsi publik. Banyak admin yang salah kaprah dengan mekanisme block, seolah-olah semua service yang berjalan perlu diallow aksesnya. Sebagai contoh, jika saya menggunakan DNS Server untuk keperluan lokal, saya tidak perlu membuka port 53 untuk konsumsi publik karena malah akan menyediakan akses yang tidak perlu.

Demikian beberapa tips diatas, semoga bermanfaat.

http://feedproxy.google.com/~r/BlogVavai/~3/ZT_e1GB3Xao/?utm_source=feedburner&utm_medium=email

TUNING PHP.INI


php.ini

You configure PHP in php.ini. Four important settings control how much system resources PHP can consume, as listed in Table 1.
Table 1. Resource related settings in php.ini

Setting Description Recommended value
max_execution_time How many CPU-seconds a script can consume 30
max_input_time How long (seconds) a script can wait for input data 60
memory_limit How much memory (bytes) a script can consume before being killed 32M
output_buffering How much data (bytes) to buffer before sending out to the client 4096

These numbers depend mostly on your application. If you accept large files from users, then max_input_time may have to be increased, either in php.ini or by overriding it in code. Similarly, a CPU- or memory-heavy program may need larger settings. The purpose is to mitigate the effect of a runaway program, so disabling these settings globally isn’t recommended. Another note onmax_execution_time: This refers to the CPU time of the process, not the absolute time. Thus a program that does lots of I/O and few calculations may run for much longer than max_execution_time. It’s also how max_input_time can be greater thanmax_execution_time

The amount of logging that PHP can do is configurable. In a production environment, disabling all but the most critical logs saves disk writes. If logs are needed to troubleshoot a problem, you can turn up logging as needed. error_reporting = E_COMPILE_ERROR|E_ERROR|E_CORE_ERROR turns on enough logging to spot problems but eliminates a lot of chatter from scripts.

shisdew

Listens until think alike

moses.spaceku@yahoo.com / voip ipbx

Hosted PBX, IP-PBX SOHO/ CALL CENTER, VOICE GATEWAY, VOICE CARD, COST EFECTIVE SOLUTIONS (LCR), GSM/CDMA GATEWAY

%d bloggers like this: