Additional Settings for Kernel Hardening

 Additional Settings for Kernel Hardening

• Restrict Core Dumps
  Prevents core dumps from being created by processes, which can expose sensitive information:

  fs.suid_dumpable = 0  
  

• Randomize Address Space Layout (ASLR)
  Enables randomization of memory addresses to make attacks like buffer overflows more difficult:

  kernel.randomize_va_space = 2  
  

• Disable IPv6 (if not needed)
  If your system does not use IPv6, disable it to reduce attack surface:

  net.ipv6.conf.all.disable_ipv6 = 1  
  net.ipv6.conf.default.disable_ipv6 = 1  
  

• Enable ExecShield (for older systems)
  Provides protection against some buffer overflow exploits (useful on older kernels):

  kernel.exec-shield = 1  
  

• Protect Hard and Soft Links
  Prevents users from creating links to files they do not own, mitigating certain privilege escalation attacks:

  fs.protected_hardlinks = 1  
  fs.protected_symlinks = 1  
  

• Limit Rate of Connections
  Prevents abuse of new connections by setting rate limits:

  net.ipv4.tcp_max_syn_backlog = 2048  
  net.ipv4.tcp_synack_retries = 2  
  net.ipv4.tcp_syn_retries = 5  
  

• ARP Filtering
  Helps prevent ARP spoofing attacks:

  net.ipv4.conf.all.arp_filter = 1  
  

• Disable Source Routing for IPv6
  Just like IPv4, ensure source routing is disabled for IPv6:

  net.ipv6.conf.all.accept_source_route = 0  
  net.ipv6.conf.default.accept_source_route = 0  
  

• TCP FIN Timeout
  Reduce the timeout for closed connections, freeing up resources faster:

  net.ipv4.tcp_fin_timeout = 15  
  

Adding these settings further enhances your system’s security posture, especially on servers or systems exposed to the internet.