Hardening the Linux kernel

This may be one of the easiest steps with some of the biggest security impact.

I say “easy” because unless you want to understand every line of the following config, you are more or less dumping the contents into a file, saving it and restarting the server.

The reference for this config file is a combination of the default sysctl.conf, this hardening guide and this one.

It’s just generally a config file full of good ideas for a server sitting out on the open internet.

I strongly recommend you do not make these edits to /etc/sysctl.conf directly and instead save it to a new file that the kernel will load on boot.

To create the new file, type the following:

sudo nano /etc/sysctl.d/local.conf

Note: Per our guide’s recommendation so far, the file below omits all the IPv6 hardening changes recommended by the associated guides (linked above).

If your network does need IPv6 enabled, obviously remove the first 3 directives (that disable it) and read through the associated guides to add-back the IPv6 hardening rules.

Once you have the editor open, copy and paste everything below into it:

# Disable IPv6 (may not be needed with our GRUB change)
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

# Enable Spoof protection (reverse-path filter)
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Disable packet forwarding for IPv4
net.ipv4.ip_forward = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

# Log Martian Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.default.secure_redirects = 0

# Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1

###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
###################################################################

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Do not accept ICMP redirects (we are not a router).
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# In rare occasions, it may be beneficial to reboot your server
# if it runs out of memory. This simple solution can avoid you 
# hours of down time. The vm.panic_on_oom=1 line enables panic
# on OOM; the kernel.panic=10 line tells the kernel to reboot 
# ten seconds after panicking.
vm.panic_on_oom = 1
kernel.panic = 10

After you have made the changes and saved the file, run:

sudo service procps restart