Top 6 Linux Server Performance Tweaks

6 - Improve network performance by having iptables drop bogus packets in a black hole

# Flush all chains
/sbin/iptables -t filter -F
/sbin/iptables -t nat    -F
/sbin/iptables -t mangle -F

# Set default policies
/sbin/iptables -t filter -P INPUT DROP
/sbin/iptables -t filter -P OUTPUT DROP
/sbin/iptables -t filter -P FORWARD DROP

# Create custom Log-Then-Drop logging chain
/sbin/iptables -t filter -A LTDROP -p tcp  -m limit --limit 4 -j LOG --log-level info --log-prefix "TCP Dropped "
/sbin/iptables -t filter -A LTDROP -p udp  -m limit --limit 4 -j LOG --log-level info --log-prefix "UDP Dropped "
/sbin/iptables -t filter -A LTDROP -p icmp -m limit --limit 4 -j LOG --log-level info --log-prefix "ICMP Dropped "
/sbin/iptables -t filter -A LTDROP -f -m limit --limit 4 -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
/sbin/iptables -t filter -A LTDROP -p icmp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -t filter -A LTDROP -j DROP

# Rules for traffic coming FROM anywhere destined TO this machine
/sbin/iptables -t filter -A INPUT -m state --state INVALID -j LTDROP
/sbin/iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Add more INPUT rules here
/sbin/iptables -t filter -A INPUT   -j LTDROP

# Rules for traffic coming FROM this machine destined TO anywhere
/sbin/iptables -t filter -A OUTPUT -m state --state INVALID -j LTDROP
/sbin/iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Add more OUTPUT rules here
/sbin/iptables -t filter -A OUTPUT  -j LTDROP

# Rules for traffic coming FROM anywhere destined TO anywhere
/sbin/iptables -t filter -A FORWARD -m state --state INVALID -j LTDROP
# Add FORWARD rules here (if needed)
/sbin/iptables -t filter -A FORWARD -j LTDROP

5 - Keep an eye on disk fscking due-dates


4 - Turn off reverse DNS lookup

3 - Improve hard drive performance

* Check the current disk parameters by running:

hdparm -v /dev/hda:

 multcount    = 16 (on)
 IO_support   =  0 (default 16-bit)
 unmaskirq    =  0 (off)
 using_dma    =  1 (on)
 keepsettings =  0 (off)
 readonly     =  0 (off)
 readahead    = 256 (on)
 geometry     = 65535/16/63, sectors = 241254720, start = 0

* Test the drive by running:

hdparm -t /dev/hda

 Timing buffered disk reads:  138 MB in  3.03 seconds =  45.58 MB/sec

(You may want to run this test multiple times and average the result)

* Enable DMA by running:

hdparm -d /dev/hda

See the hdparm man page for more info

2 - Reduce I/O by delaying syslog syncing

From the syslog.conf man page: "You may prefix each entry with the minus sign "-" to omit syncing the file after every logging. Note that you might lose information if the system crashes right behind a write attempt.  Nevertheless this might give you back some performance, especially if you run programs that use logging in a very verbose manner."

From personal experience, I can tell you that if you have a busy log file (think tons of spam or a DOS attack), then this configuration change WILL make a big performance difference.

So, these lines in /etc/syslog.conf:
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
mail.*                                                  /var/log/maillog

*.info;mail.none;authpriv.none;cron.none                -/var/log/messages
mail.*                                                  -/var/log/maillog

Don't forget to restart syslog after making these changes

1 - Reduce I/O by mounting filesystems with the 'noatime' option

This will disable atime updates. Generally, atime is only used by a few programs (tmpwatch and mutt come to mind), and potentially by some backup software (unconfirmed at this time). Many people use this performance tweak, even Linus Torvalds himself!

So, these lines in /etc/fstab:
/dev/md0                /                       ext3    defaults        1 1
/dev/vg0/var            /var                    ext3    defaults        1 2
/dev/vg0/usr            /usr                    ext3    defaults        1 2

/dev/md0                /                       ext3    noatime        1 1
/dev/vg0/var            /var                    ext3    noatime        1 2
/dev/vg0/usr            /usr                    ext3    noatime        1 2

After making these changes, you will need to remount the filesystems. If you are making this change for all of your filesystems, your best bet may be to just reboot the server.