Wiki

User Tools

Site Tools

Trace: harden_linux_kernel_configuration_parameters
systems:media_server:secure_the_server:harden_linux_kernel_configuration_parameters

Table of Contents

Systems - Media Server - Secure the Server - Harden Linux kernel configuration parameters

The Linux kernel is flexible, and the way it works can be modified on the fly by dynamically changing some of its parameters using the sysctl command.

  • sysctl allows the viewing and changing of kernel settings on a running system.
    • The parameters available are those listed under /proc/sys/.
  • Changes take effect immediately.
  • The related /etc/sysctl.conf file is used to ensure that the settings persist after a reboot.

IMPORTANT NOTE: Editing the sysctl.conf file might break the system - this is for advanced users only.

Make a backup of the existing /etc/sysctl.conf file

sudo cp /etc/sysctl.conf /etc/sysctl.conf.orig

Modify the sysctl file

Add the following entries to the bottom of the /etc/sysctl.conf file to stop some spoofing attacks and enhance other security measures:

/etc/sysctl.conf
...
...
# Network Security
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
 
# IPv6 Security (if enabled)
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
 
# Process Security
kernel.randomize_va_space = 2
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.perf_event_paranoid = 3
kernel.yama.ptrace_scope = 2
kernel.panic_on_oops = 1
kernel.panic = 60
kernel.sysrq = 0
 
 
# File System Security
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
fs.suid_dumpable = 0
fs.protected_fifos = 2
fs.protected_regular = 2
 
# Additional Security Measures
#dev.tty.ldisc_autoload = 0
#kernel.modules_disabled = 1
kernel.core_uses_pid = 1
kernel.panic_on_unrecovered_nmi = 1
kernel.panic_on_io_nmi = 1
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2

Save the /etc/sysctl.conf file.

Activate the kernel settings that have been modified

This reloads the sysctl parameters: 

sudo sysctl -p
systems/media_server/secure_the_server/harden_linux_kernel_configuration_parameters.txt · Last modified: 2025/05/31 16:07 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki