The Linux kernel is flexible, and the way it works can be modified on the fly by dynamically changing some of its parameters using the sysctl command.
IMPORTANT NOTE: Editing the sysctl.conf file might break the system - this is for advanced users only.
sudo cp /etc/sysctl.conf /etc/sysctl.conf.orig
Add the following entries to the bottom of the /etc/sysctl.conf file to stop some spoofing attacks and enhance other security measures:
... ... # Network Security net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # IPv6 Security (if enabled) net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Process Security kernel.randomize_va_space = 2 kernel.kptr_restrict = 2 kernel.dmesg_restrict = 1 kernel.perf_event_paranoid = 3 kernel.yama.ptrace_scope = 2 kernel.panic_on_oops = 1 kernel.panic = 60 kernel.sysrq = 0 # File System Security fs.protected_hardlinks = 1 fs.protected_symlinks = 1 fs.suid_dumpable = 0 fs.protected_fifos = 2 fs.protected_regular = 2 # Additional Security Measures #dev.tty.ldisc_autoload = 0 #kernel.modules_disabled = 1 kernel.core_uses_pid = 1 kernel.panic_on_unrecovered_nmi = 1 kernel.panic_on_io_nmi = 1 kernel.unprivileged_bpf_disabled = 1 net.core.bpf_jit_harden = 2
Save the /etc/sysctl.conf file.
This reloads the sysctl parameters:
sudo sysctl -p