Some Security Linux Kernel Settings
(/etc/sysctl.conf or /etc/sysctl.d/*):
#### ipv4 networking ####
## TCP SYN cookie protection
## helps protect against SYN flood attacks
## only kicks in when net.ipv4.tcp_max_syn_backlog is reached
net.ipv4.tcp_syncookies = 1
## protect against tcp time-wait assassination hazards
## drop RST packets for sockets in the time-wait state
## (not widely supported outside of linux, but conforms to RFC)
net.ipv4.tcp_rfc1337 = 1
## tcp timestamps
## + protect against wrapping sequence numbers (at gigabit speeds)
## + round trip time calculation implemented in TCP
## - causes extra overhead and allows uptime detection by scanners like nmap
## enable @ gigabit speeds
net.ipv4.tcp_timestamps = 0
#net.ipv4.tcp_timestamps = 1
## source address verification (sanity checking)
## helps protect against spoofing attacks
net.ipv4.conf.all.rp_filter = 1
## disable ALL packet forwarding (not a router, disable it)
net.ipv4.ip_forward = 0
## log martian packets
net.ipv4.conf.all.log_martians = 1
## ignore echo broadcast requests to prevent being part of smurf attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1
## optionally, ignore all echo requests
#net.ipv4.icmp_echo_ignore_all = 1
## ignore bogus icmp errors
net.ipv4.icmp_ignore_bogus_error_responses = 1
## IP source routing (insecure, disable it)
net.ipv4.conf.all.accept_source_route = 0
## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0
## ICMP routing redirects (only secure)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
Reload this settings with the following command:
sysctl -p
