sysctl 参数调整

vim /etc/sysctl.conf

# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

vm.swappiness = 0
net.ipv4.neigh.default.gc_stale_time=120

# see details in https://help.aliyun.com/knowledge_detail/39428.html
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.default.arp_announce = 2
net.ipv4.conf.lo.arp_announce=2
net.ipv4.conf.all.arp_announce=2

# see details in https://help.aliyun.com/knowledge_detail/41334.html
net.ipv4.tcp_max_syn_backlog = 1024
kernel.sysrq=1
kernel.printk = 5


################################## 优化 ###################################

#禁用包过滤功能
net.ipv4.ip_forward = 0

# 开启SYN cookies 当出现syn等待溢出，启用cookies来处理，可防范少量的syn攻击
net.ipv4.tcp_syncookies = 1

#timewait的数量，默认是180000
net.ipv4.tcp_max_tw_buckets = 2000

#每个网络接口接收数据包的速率比内核处理这些包的速率快时，允许送到队列的数据包的最大数目
net.core.netdev_max_backlog = 65535

#为了打开对端的连接，内核需要发送一个SYN并附带一个回应前面一个SYN的ACK。也就是所谓三次握手中的第二次握手。这个设置决定了内核放弃连接之前发送SYN+ACK包的数量
net.ipv4.tcp_synack_retries = 1

#对于一个新建的tcp连接，内核要发送几个SYN连接请求才决定放弃
net.ipv4.tcp_syn_retries = 1


#开启TCP连接复用功能，允许将time_wait sockets重新用于新的TCP连接（主要针对time_wait连接）
net.ipv4.tcp_tw_reuse = 1

#对外连接端口范围
net.ipv4.ip_local_port_range = 2048 63000

#系统文件描述符总量
fs.file-max = 102400

# 避免放大攻击
net.ipv4.icmp_echo_ignore_broadcasts = 1

# 开启恶意icmp错误消息保护
net.ipv4.icmp_ignore_bogus_error_responses = 1

# 允许更多的PIDs (减少滚动翻转问题); may break some programs 32768
kernel.pid_max = 65536

# 增加系统IP端口限制
net.ipv4.ip_local_port_range = 4000 63000

#设置为1即启用时间戳，慎用（开启后可能会出现能ping通，但是SSH|web|...|均无法连接）
net.ipv4.tcp_timestamps = 0

#ICMP禁止广播
net.ipv4.icmp_echo_ignore_broadcasts = 1

vm.nr_hugepages=512

exec $SHELL

可参考

https://help.aliyun.com/knowledge_detail/39428.html
https://help.aliyun.com/knowledge_detail/41334.html