sysctl.conf网络内核参数说明(转)

下面是我的理解,可能有误,仅供参考。

要调优,三次/四次握手必须烂熟于心。

client                  server (SYN_SENT)      —>  (SYN_RECV) (ESTABLISHED)   <— —>  (ESTABLISHED)

client(主动)            server (FIN_WAIT_1)    —>    (CLOSE_WAIT) (FIN_WAIT_2)    <— (TIME_WAIT)     <—    (LAST_ACK) —>    (CLOSED)

大家熟知的 SYN flooding/SYN spoofing 就是在 SYN_RECV 的状态下发起的进攻。这种由于 TCP/IP 协议引起的缺陷只能防治而不好根治,除非换了 TCP/IP。通过下面的方式,可以在一定程度上缓解 DDOS 攻击。

增大半连接的队列,即 backlog queue 人工干预以减少 SYS_RECV 的时间,可以降低第一个重传包的时间或者减少重传的次数

检测 SYN 攻击,可以使用 netstat 命令查看当前的连接类型以及连接数目,如果发现有大量的 SYN_RECV,就值得怀疑了: $ netstat -tuna | grep . . . → Read More: sysctl.conf网络内核参数说明(转)

HAProxy – route by domain name

——————by Sean Mcgary on September 28, 2013

http://seanmcgary.com/posts/haproxy—route-by-domain-name

 

I tend to build a lot of web applications in NodeJS using the Express.js webserver. When you have a few of these apps running on one server, you generally want to run them on unique ports and put some kind of proxy in front of . . . → Read More: HAProxy – route by domain name

convert mysql table engine myisam to innodb

#!/bin/bash if [ $# -ne 1 ]; then echo “usage: convert.sh database” exit 1 fi date db=$1 echo “Convert database $db” ; mysql -B -N -e “SELECT TABLE_NAME, ENGINE FROM information_schema.TABLES where TABLE_SCHEMA = ‘$db’ and engine=’myisam'” |awk ‘{print $1}’| while read table; \ do \ echo “+ Converting Table $table”; \ mysql . . . → Read More: convert mysql table engine myisam to innodb

kill mysql show processlist kill

#!/bin/bash date for id in `mysqladmin processlist | grep -i “your detect filter” |awk ‘{print $2}’` do mysqladmin kill ${id}; echo ${id}.’\n'; done

install capistrano in centos

yum install -y ruby ruby-devel rubygems gem update gem install capistrano gem install capistrano-ext