Differences

This shows you the differences between two versions of the page.

--- systems:media_server:secure_the_server:harden_linux_kernel_configuration_parameters [2025/05/31 11:54] – created peter
+++ systems:media_server:secure_the_server:harden_linux_kernel_configuration_parameters [2025/05/31 16:07] (current) – peter
@@ Line 3: / Line 3: @@
 The Linux kernel is flexible, and the way it works can be modified on the fly by dynamically changing some of its parameters using the **sysctl** command.
-  * **sysctl** can be used to both read and write sysctl data; i.e. it provides an interface that allows the examination and change of several hundred kernel parameters in Linux.
+  * **sysctl** allows the viewing and changing of kernel settings on a running system.
-  * Changes take effect immediately, and there is even a way to make them persist after a reboot.
     * The parameters available are those listed under /proc/sys/.
+  * Changes take effect immediately.
+  * The related **/etc/sysctl.conf** file is used to ensure that the settings persist after a reboot.
 <WRAP alert>
 **IMPORTANT NOTE:**  Editing the sysctl.conf file might break the system - this is for advanced users only.
 </WRAP>
 ----
-====== Make a backup of the existing /etc/sysctl.conf file ======
+===== Make a backup of the existing /etc/sysctl.conf file =====
 <code bash>
@@ Line 22: / Line 22: @@
 ----
-====== Modify the sysctl file ======
+===== Modify the sysctl file =====
-<code bash>
+Add the following entries to the bottom of the **/etc/sysctl.conf** file to stop some spoofing attacks and enhance other security measures:
-sudo vi /etc/sysctl.conf
-</code>
-Remove the hash sign in front of certain command lines to stop some spoofing attacks and enhance other security measures:
 <file bash /etc/sysctl.conf>
-net.ipv4.conf.default.rp_filter=1
+...
-net.ipv4.conf.all.rp_filter=1
+...
-net.ipv4.tcp_syncookies=1
+# Network Security
-net.ipv4.icmp_echo_ignore_broadcasts = 1
-net.ipv4.icmp_ignore_bogus_error_responses = 1
-net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
 net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_max_syn_backlog = 2048
+net.ipv4.tcp_synack_retries = 2
+net.ipv4.tcp_syn_retries = 5
+# IPv6 Security (if enabled)
 net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
 net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+# Process Security
+kernel.randomize_va_space = 2
+kernel.kptr_restrict = 2
+kernel.dmesg_restrict = 1
+kernel.perf_event_paranoid = 3
+kernel.yama.ptrace_scope = 2
+kernel.panic_on_oops = 1
+kernel.panic = 60
+kernel.sysrq = 0
+# File System Security
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+fs.suid_dumpable = 0
+fs.protected_fifos = 2
+fs.protected_regular = 2
+# Additional Security Measures
+#dev.tty.ldisc_autoload = 0
+#kernel.modules_disabled = 1
+kernel.core_uses_pid = 1
+kernel.panic_on_unrecovered_nmi = 1
+kernel.panic_on_io_nmi = 1
+kernel.unprivileged_bpf_disabled = 1
+net.core.bpf_jit_harden = 2
 </file>
@@ Line 48: / Line 87: @@
 ----
-====== Activate the kernel settings that have been modified ======
+===== Activate the kernel settings that have been modified =====
 This reloads the sysctl parameters:
@@ Line 56: / Line 95: @@
 </code>
+----