Top 6 Linux Server Performance Tweaks
6 - Improve network performance by having iptables drop bogus packets in a black hole
# Flush all chains
/sbin/iptables -t filter -F
/sbin/iptables -t nat -F
/sbin/iptables -t mangle -F
# Set default policies
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P OUTPUT DROP
/sbin/iptables -t filter -P FORWARD DROP
# Create custom Log-Then-Drop logging chain
/sbin/iptables -t filter -A LTDROP -p tcp -m limit --limit 4 -j LOG --log-level info --log-prefix "TCP Dropped "
/sbin/iptables -t filter -A LTDROP -p udp -m limit --limit 4 -j LOG --log-level info --log-prefix "UDP Dropped "
/sbin/iptables -t filter -A LTDROP -p icmp -m limit --limit 4 -j LOG --log-level info --log-prefix "ICMP Dropped "
/sbin/iptables -t filter -A LTDROP -f -m limit --limit 4 -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
/sbin/iptables -t filter -A LTDROP -p icmp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -t filter -A LTDROP -j DROP
# Rules for traffic coming FROM anywhere destined TO this machine
/sbin/iptables -t filter -A INPUT -m state --state INVALID -j LTDROP
/sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Add more INPUT rules here
/sbin/iptables -t filter -A INPUT -j LTDROP
# Rules for traffic coming FROM this machine destined TO anywhere
/sbin/iptables -t filter -A OUTPUT -m state --state INVALID -j LTDROP
/sbin/iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Add more OUTPUT rules here
/sbin/iptables -t filter -A OUTPUT -j LTDROP
# Rules for traffic coming FROM anywhere destined TO anywhere
/sbin/iptables -t filter -A FORWARD -m state --state INVALID -j LTDROP
# Add FORWARD rules here (if needed)
/sbin/iptables -t filter -A FORWARD -j LTDROP
5 - Keep an eye on disk fscking due-dates
tune2fs
4 - Turn off reverse DNS lookup
3 - Improve hard drive performance
* Check the current disk parameters by running:
hdparm -v /dev/hda:
/dev/hda:
multcount = 16 (on)
IO_support = 0 (default 16-bit)
unmaskirq = 0 (off)
using_dma = 1 (on)
keepsettings = 0 (off)
readonly = 0 (off)
readahead = 256 (on)
geometry = 65535/16/63, sectors = 241254720, start = 0
* Test the drive by running:
hdparm -t /dev/hda
/dev/hda:
Timing buffered disk reads: 138 MB in 3.03 seconds = 45.58 MB/sec
(You may want to run this test multiple times and average the result)
* Enable DMA by running:
hdparm -d /dev/hda
See the hdparm man page for more info
2 - Reduce I/O by delaying syslog syncing
From the syslog.conf man page: "You may prefix each entry with the minus sign "-" to omit syncing the file after every logging. Note that you might lose information if the system crashes right behind a write attempt. Nevertheless this might give you back some performance, especially if you run programs that use logging in a very verbose manner."
From personal experience, I can tell you that if you have a busy log file (think tons of spam or a DOS attack), then this configuration change WILL make a big performance difference.
So, these lines in /etc/syslog.conf:
*.info;mail.none;authpriv.none;cron.none /var/log/messages
mail.* /var/log/maillog
Become:
*.info;mail.none;authpriv.none;cron.none -/var/log/messages
mail.* -/var/log/maillog
Don't forget to restart syslog after making these changes
1 - Reduce I/O by mounting filesystems with the 'noatime' option
This will disable atime updates. Generally, atime is only used by a few programs (tmpwatch and mutt come to mind), and potentially by some backup software (unconfirmed at this time). Many people use this performance tweak, even Linus Torvalds himself!
So, these lines in /etc/fstab:
/dev/md0 / ext3 defaults 1 1
/dev/vg0/var /var ext3 defaults 1 2
/dev/vg0/usr /usr ext3 defaults 1 2
Become
/dev/md0 / ext3 noatime 1 1
/dev/vg0/var /var ext3 noatime 1 2
/dev/vg0/usr /usr ext3 noatime 1 2
After making these changes, you will need to remount the filesystems. If you are making this change for all of your filesystems, your best bet may be to just reboot the server.