Labels

Essential Linux Kernel Security Settings

Essential Linux Kernel Security Settings

Below are some important security-related kernel settings for Linux. These can be configured in /etc/sysctl.conf or by adding files to /etc/sysctl.d/.

IPv4 Networking Settings

  • TCP SYN Cookie Protection
    Protects against SYN flood attacks by enabling TCP SYN cookies. This kicks in only when net.ipv4.tcp_max_syn_backlog is reached:

    net.ipv4.tcp_syncookies = 1

  • Time-Wait Assassination Protection
    Drops RST packets for sockets in the TIME-WAIT state to prevent TCP time-wait assassination hazards. Although not widely supported outside Linux, this conforms to RFC standards:

    net.ipv4.tcp_rfc1337 = 1

  • TCP Timestamps

    • Pros: Protects against sequence number wrapping at gigabit speeds and provides round-trip time calculations.
    • Cons: Adds overhead and allows uptime detection by tools like Nmap.
      Enable for gigabit speeds:
    net.ipv4.tcp_timestamps = 0  
#net.ipv4.tcp_timestamps = 1

  • Source Address Verification
    Helps prevent spoofing attacks by verifying the source address of incoming packets:

    net.ipv4.conf.all.rp_filter = 1

  • Disable Packet Forwarding
    If the system is not a router, disable packet forwarding:

    net.ipv4.ip_forward = 0

  • Log Martian Packets
    Logs packets with impossible source addresses to help identify potential issues:

    net.ipv4.conf.all.log_martians = 1

  • Prevent Smurf Attacks
    Ignores ICMP echo broadcast requests:

    net.ipv4.icmp_echo_ignore_broadcasts = 1

  • Optional: Ignore All Echo Requests
    Prevents the system from responding to ICMP echo requests (ping):

    #net.ipv4.icmp_echo_ignore_all = 1

  • Ignore Bogus ICMP Errors
    Avoids reacting to malformed ICMP error messages:

    net.ipv4.icmp_ignore_bogus_error_responses = 1

  • Disable IP Source Routing
    Blocks insecure source routing of packets:

    net.ipv4.conf.all.accept_source_route = 0

  • Disable Sending Redirects
    Prevents the system from sending ICMP redirects (useful if the system is not a router):

    net.ipv4.conf.all.send_redirects = 0

  • Secure ICMP Routing Redirects
    Accepts only secure ICMP routing redirects while ignoring others:

    net.ipv4.conf.all.accept_redirects = 0  
net.ipv4.conf.all.secure_redirects = 1

Applying the Settings

Reload the kernel parameters with the following command:

sysctl -p
Labels:

Comments

Post a Comment

Popular Posts