Hardening existing Linux server via sysctl parameters



The sysctl is a utility which is used to manage networking and other low-level protective Linux kernel parameters at runtime.

This cheatsheet allows quickly secure currently running server thought this powerful tool.

The configuration file for sysctl is located at /etc/sysctl.conf and contains the values to be read and set on system boot. The below parameters assure security for most Linux servers:

net.ipv4.tcp_syncookies = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.send_redirects = 0

net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_keepalive_time = 1800

Below is a description of sysctl directives used to secure server:

tcp_syncookies
This parameter can help to prevent SYN flood DDoS attacks by testing the validity of the SYN packets. For security reasons it is recommended to enable the parameter. Note that the process is conducted without consuming memory or connection resources.

ignore_broadcasts
A ping broadcast is used to see what hosts in LAN are up, but there are other ways to do this. It is safer to disable this option because ICMP (ping) broadcasts and multicasts are usually a sign of Smurf attack.

accept_redirects
The parameter allows to enable or disable ICMP redirects acceptance. ICMP redirects are important to routers, but can create security problems for servers, so it is recommended to set the parameter to off.

accept_source_route
Tells netfilter to accept or decline source routed packets. Source routed packets are security risk, because they can can allow routing packets through an untrusted or insecure interface.

rp_filter
This parameter controls reverse path filtering, which tries to ensure packets use legitimate source addresses. When is turned on it can prevent some IP spoofing attacks.

log_martians
The parameter allows to keep track of packets which could potentially indicate an attack on server. This packets are those that includes impossible IP addresses, bad source routing, bad redirect packets and others.

send_redirects
Enables or disables ICMP redirects which are used mainly by routers to send out ICMP redirects to other hosts. For security reasons, it is recommended to disable this option.

fin_timeout
Tells Netfilter how much seconds keep sockets in FIN-WAIT-2 state which means that connection is closed, and the socket is waiting for a shutdown from the remote end. Decreasing the value to 30 can avoid some DDoS attacks or other problems that arose from getting huge amounts of connections

tcp_keepalive_time
Tells the Netfilter how often to send TCP keepalive packets to keep an connection alive if it is currently unused. The value 1800, or 30 minutes, is a good value for most servers.