Wiki

User Tools

Site Tools

Trace:
linux_hardening_guide:sysctl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux_hardening_guide:sysctl [2025/05/31 15:07] peterlinux_hardening_guide:sysctl [2025/05/31 15:19] (current) peter
Line 172: Line 172:
 </code> </code>
  
-This helps protect against SYN flood attacks, which are a form of denial-of-service attack, in which an attacker sends a large amount of bogus SYN requests in an attempt to consume enough resources to make the system unresponsive to legitimate traffic. +This helps protect against [[https://en.wikipedia.org/wiki/SYN_flood|SYN flood attacks]], which are a form of denial-of-service attack, in which an attacker sends a large amount of bogus SYN requests in an attempt to consume enough resources to make the system unresponsive to legitimate traffic. 
  
 ---- ----
Line 180: Line 180:
 </code> </code>
  
-This protects against time-wait assassination by dropping RST packets for sockets in the time-wait state. +This protects against [[https://tools.ietf.org/html/rfc1337|time-wait assassination]] by dropping RST packets for sockets in the time-wait state. 
  
 ---- ----
Line 189: Line 189:
 </code> </code>
  
-These enable source validation of packets received from all interfaces of the machine. This protects against IP spoofing, in which an attacker sends a packet with a fraudulent IP address. +These enable source validation of packets received from all interfaces of the machine. 
 + 
 +  * This protects against [[https://en.wikipedia.org/wiki/IP_address_spoofing|IP spoofing]], in which an attacker sends a packet with a fraudulent IP address. 
 + 
 +---- 
 + 
 +<code bash> 
 +net.ipv4.conf.all.accept_redirects=0 
 +net.ipv4.conf.default.accept_redirects=0 
 +net.ipv4.conf.all.secure_redirects=0 
 +net.ipv4.conf.default.secure_redirects=0 
 +net.ipv6.conf.all.accept_redirects=0 
 +net.ipv6.conf.default.accept_redirects=0 
 +net.ipv4.conf.all.send_redirects=0 
 +net.ipv4.conf.default.send_redirects=0 
 +</code> 
 + 
 +These disable ICMP redirect acceptance and sending to prevent [[https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked|man-in-the-middle attacks]] and minimize information disclosure. 
 + 
 +---- 
 + 
 +<code bash> 
 +net.ipv4.icmp_echo_ignore_all=1 
 +</code> 
 + 
 +This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make the device more difficult to enumerate on the network and prevent clock fingerprinting through ICMP timestamps.  
 + 
 +---- 
 + 
 +<code bash> 
 +net.ipv4.conf.all.accept_source_route=0 
 +net.ipv4.conf.default.accept_source_route=0 
 +net.ipv6.conf.all.accept_source_route=0 
 +net.ipv6.conf.default.accept_source_route=0 
 +</code> 
 + 
 +Source routing is a mechanism that allows users to redirect network traffic. 
 + 
 +  * As this can be used to perform man-in-the-middle attacks in which the traffic is redirected for nefarious purposes, the above settings disable this functionality.  
 + 
 +---- 
 + 
 +<code bash> 
 +net.ipv6.conf.all.accept_ra=0 
 +net.ipv6.conf.default.accept_ra=0 
 +</code> 
 + 
 +Malicious IPv6 router advertisements can result in a man-in-the-middle attack, so they should be disabled. 
 + 
 +---- 
 + 
 +<code bash> 
 +net.ipv4.tcp_sack=0 
 +net.ipv4.tcp_dsack=0 
 +net.ipv4.tcp_fack=0 
 +</code> 
 + 
 +This disables TCP SACK. 
 + 
 +  * SACK is commonly exploited and unnecessary in many circumstances, so it should be disabled if it is not required. 
 + 
 +---- 
 + 
 +====== Recommended sysctl settings to change for User Space ====== 
 + 
 +<code bash> 
 +kernel.yama.ptrace_scope=2 
 +</code> 
 + 
 +[[https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html|ptrace is a system call that allows a program to alter and inspect another running process]], which allows attackers to trivially modify the memory of other running programs. 
 + 
 +  * This restricts usage of ptrace to only processes with the CAP_SYS_PTRACE capability. 
 +  * Alternatively, set the sysctl to 3 to disable ptrace entirely.  
 + 
 +---- 
 + 
 +<code bash> 
 +vm.mmap_rnd_bits=32 
 +vm.mmap_rnd_compat_bits=16 
 +</code> 
 + 
 +[[https://en.wikipedia.org/wiki/Address_space_layout_randomization|ASLR]] is a common exploit mitigation which randomises the position of critical parts of a process in memory. This can make a wide variety of exploits harder to pull off, as they first require an information leak. The above settings increase the bits of entropy used for mmap ASLR, improving its effectiveness. 
 + 
 +The values of these sysctls must be set in relation to the CPU architecture. The above values are compatible with x86, but other architectures may differ.  
 + 
 +---- 
 + 
 +<code bash> 
 +fs.protected_symlinks=1 
 +fs.protected_hardlinks=1 
 +</code> 
 + 
 +This only permits symlinks to be followed when outside of a world-writable sticky directory, when the owner of the symlink and follower match or when the directory owner matches the symlink's owner. 
 + 
 +  * This also prevents hardlinks from being created by users that do not have read/write access to the source file. 
 +  * Both of these prevent many common [[https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use|TOCTOU races]]. 
 + 
 +---- 
 + 
 +<code bash> 
 +fs.protected_fifos=2 
 +fs.protected_regular=2 
 +</code> 
 + 
 +[[https://github.com/torvalds/linux/commit/30aba6656f61ed44cba445a3c0d38b296fa9e8f5|These prevent creating files in potentially attacker-controlled environments]], such as world-writable directories, to make data spoofing attacks more difficult. 
 + 
 +---- 
 + 
 + 
  
 ---- ----
linux_hardening_guide/sysctl.1748704068.txt.gz · Last modified: 2025/05/31 15:07 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki