Raid HW

megacli -CfgLdAdd -r0 [252:0,252:1] WB RA Direct CachedBadBBU -a0
megacli -CfgLdAdd -r1 [252:0,252:1] WT NORA Direct CachedBadBBU -a0

WT : writethrough faster. Data in disk cache is considered written. vs
WB: write-back safer. Only considered to be written once on disk.
NORA :No Read Ahead vs
RA: ReadAhead vs
ADRA : Adaptive ReadAhead where if the previous two requests were sequential it pre-loads the next in sequence.
Cached: Cache reads.
Direct: Only the previous read is cached.
-strpszM : Stripe size so -strpsz64 means 64kb stripe size.
Hsp[E0:S0] : Choose this drive to be a hot-spare
148148

nginx tips

http://www.nginxtips.com/how-to-install-nginx-geoip-module/
http://www.nginxtips.com/how-to-install-mod_security-on-nginx/
http://articles.slicehost.com/2009/2/2/centos-adding-an-nginx-init-script
http://www.nginxtips.com/nginx-optimization-the-definitive-guide/
https://github.com/cfsego/nginx-limit-upstream/
https://github.com/kyprizel/nginx_ocsp_proxy-module
http://wiki.nginx.org/HttpHealthcheckModule
https://code.google.com/p/nginx-sflow-module/
http://labs.frickle.com/nginx_ngx_slowfs_cache/
https://github.com/yaoweibin/nginx_tcp_proxy_module

nginx init.d

vim /etc/init.d/nginx

#!/bin/sh
#
# nginx – this script starts and stops the nginx daemin
#
# chkconfig: – 85 15
# description: Nginx is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /usr/local/nginx/conf/nginx.conf
# pidfile: /usr/local/nginx/logs/nginx.pid

Continue reading

nginx build scr

yum install -y gcc make automake autoconf libtool pcre pcre-devel libxml2 libxml2-devel curl curl-devel httpd-devel gcc-c++ pcre-dev pcre-devel zlib-devel make unzip

git clone https://github.com/SpiderLabs/ModSecurity.git mod_security
cd mod_security
./autogen.sh
./configure –enable-standalone-module
make

http://www.webtrafficexchange.com/how-mitigate-ddos-modsecurity-and-modevasive-centos-6
http://blog.cherouvim.com/simple-dos-protection-with-mod_security/
NPS_VERSION=1.9.32.2
wget https://github.com/pagespeed/ngx_pagespeed/archive/release-1.9.32.2-beta.zip
unzip release-1.9.32.2-beta.zip
cd ngx_pagespeed-release-1.9.32.2-beta/
wget https://dl.google.com/dl/page-speed/psol/1.9.32.2.tar.gz
tar -xzvf 1.9.32.2.tar.gz
wget http://nginx.org/download/nginx-1.7.7.tar.gz
tar -xvpzf nginx-*
cd nginx-*
./configure –add-module=/root//mod_security/nginx/modsecurity –add-module=/root/ngx_pagespeed-release-1.9.32.2-beta
make
make install

sysctl.txt

/proc/sys/net/ipv4/* Variables:

ip_forward – BOOLEAN
0 – disabled (default)
not 0 – enabled

Forward Packets between interfaces.

This variable is special, its change resets all configuration
parameters to their default state (RFC1122 for hosts, RFC1812
for routers)

Continue reading

tuning 10Gbps

sysctl
========
fs.file-max = 5000000
net.core.netdev_max_backlog = 400000
net.core.optmem_max = 10000000
net.core.rmem_default = 10000000
net.core.rmem_max = 10000000
net.core.somaxconn = 100000
net.core.wmem_default = 10000000
net.core.wmem_max = 10000000
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.ip_local_port_range = 1024 65535
net.ipv4.tcp_ecn = 0
net.ipv4.tcp_max_syn_backlog = 12000
net.ipv4.tcp_max_tw_buckets = 2000000
net.ipv4.tcp_mem = 30000000 30000000 30000000
net.ipv4.tcp_rmem = 30000000 30000000 30000000
net.ipv4.tcp_sack = 1
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_wmem = 30000000 30000000 30000000
net.ipv4.tcp_tw_reuse = 1
net.netfilter.nf_conntrack_max = 131072
net.ipv4.netfilter.ip_conntrack_generic_timeout = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 54000
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 30
net.ipv4.ip_forward=1
net.core.wmem_max=12582912
net.core.rmem_max=12582912
net.ipv4.tcp_rmem= 10240 87380 12582912
net.ipv4.tcp_no_metrics_save = 1
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_timestamps = 1
net.ipv4.tcp_wmem= 10240 87380 12582912
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_max_syn_backlog=2048
net.netfilter.nf_conntrack_tcp_timeout_syn_recv=40
sysctl -p

init setup

Sysyem update
============
yum localinstall http://dl.iuscommunity.org/pub/ius/stable/CentOS/6/x86_64/ius-release-1.0-13.ius.centos6.noarch.rpm
yum localinstall wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum update

Kvm install
============
wget -N http://files.virtualizor.com/install.sh
chmod 0755 install.sh
./install.sh email=id3@id3m.net kernel=kvm lvg=new

===============================================================
## Get the latest source
# cd /usr/src/utils
# mkdir ddos
# cd ddos
wget http://www.inetbase.com/scripts/ddos/install.sh
sh install.sh
echo /usr/local/ddos/ddos.sh -c >> /etc/rc.local
===============================================================

ipdeny

http://www.ipdeny.com/ipblocks/
http://www.ipdeny.com/blog/blocking-country-ip-tables-using-our-data-blocks-and-ipset-utility/
for IP in $(wget -O – http://www.ipdeny.com/ipblocks/data/countries/{cn,kr,pk,tw,sg,hk,pe,in}.zone)
do
ipset -A geoblock $IP
done

iptables -A INPUT -m set –set geoblock src -j DROP