Wiki

User Tools

Site Tools

Trace: harden_linux_kernel_configuration_parameters
systems:media_server:secure_the_server:harden_linux_kernel_configuration_parameters

This is an old revision of the document!

Table of Contents

Systems - Media Server - Secure the Server - Harden Linux kernel configuration parameters

The Linux kernel is flexible, and the way it works can be modified on the fly by dynamically changing some of its parameters using the sysctl command.

  • sysctl can be used to both read and write sysctl data; i.e. it provides an interface that allows the examination and change of several hundred kernel parameters in Linux.
  • Changes take effect immediately, and there is even a way to make them persist after a reboot.
    • The parameters available are those listed under /proc/sys/.

IMPORTANT NOTE: Editing the sysctl.conf file might break the system - this is for advanced users only.

Make a backup of the existing /etc/sysctl.conf file

sudo cp /etc/sysctl.conf /etc/sysctl.conf.orig

Modify the sysctl file

Add the following entries to the bottom of the /etc/sysctl.conf file to stop some spoofing attacks and enhance other security measures:

/etc/sysctl.conf
...
...
# Network Security
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
 
# IPv6 Security (if enabled)
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
 
# Process Security
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
kernel.yama.ptrace_scope = 2
kernel.panic_on_oops = 1
kernel.panic = 60
kernel.sysrq = 0
 
# File System Security
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.suid_dumpable = 0
fs.protected_fifos = 2
fs.protected_regular = 2
 
# Additional Security Measures
kernel.core_uses_pid = 1
kernel.panic_on_unrecovered_nmi = 1
kernel.panic_on_io_nmi = 1
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2

Save the /etc/sysctl.conf file.

Activate the kernel settings that have been modified

This reloads the sysctl parameters: 

sudo sysctl -p
systems/media_server/secure_the_server/harden_linux_kernel_configuration_parameters.1748693489.txt.gz · Last modified: 2025/05/31 12:11 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki