Linux Kernel /etc/sysctl.conf Security Hardening

See all GNU/Linux related FAQ
How do I set advanced security options of the TCP/IP stack and virtual memory to improve the security and performance of my Linux based system? How do I configure Linux kernel to prevent certain kinds of attacks using /etc/sysctl.conf? How do I set Linux kernel parameters?

The sysctl is an interface that allows you to make changes to a running Linux kernel. With /etc/sysctl.conf you can configure various Linux networking and system settings such as:

  1. Limit network-transmitted configuration for IPv4
  2. Limit network-transmitted configuration for IPv6
  3. Turn on execshield protection
  4. Prevent against the common ‘syn flood attack’
  5. Turn on source IP address verification
  6. Prevents a cracker from using a spoofing attack against the IP address of the server.
  7. Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.
Tutorial details
Difficulty level Intermediate
Root privileges Yes
Requirements Linux terminal
Category System Management
OS compatibility AlmaLinux Alpine Amazon Linux Arch CentOS Debian Fedora Linux Mint openSUSE Pop!_OS RHEL Rocky Stream SUSE Ubuntu
Est. reading time 3 minutes
Let us discover how to secure the Linux Kernel, networking stack, and system components via /etc/sysctl.conf file.

Linux Kernel /etc/sysctl.conf Security Hardening with sysctl

Linux Kernel /etc/sysctl.conf Security Hardening
The sysctl command is used to modify kernel parameters at runtime. /etc/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:
# sysctl -a
# sysctl -A
# sysctl mib
# sysctl net.ipv4.conf.all.rp_filter
# sysctl -a --pattern 'net.ipv4.conf.(eth|wlan)0.arp'

To load settings, enter:
# sysctl -p

WARNING! These settings modify important Linux kernel configurations. If you lack knowledge in Linux sysadmin topics like networking stack, TCP/IP, and command-line options, certain configurations may have undesired effects. It is crucial to carefully read all instructions and documentation. The nixCraft or author is not responsible for any misconfigurations.

Sample /etc/sysctl.conf for Linux server hardening

Edit the /etc/sysctl.conf or /etc/sysctl.d/99-custom.conf and update it as follows. The file is documented with comments. However, I recommend reading the official Linux kernel sysctl tuning help file (see below for more informatuon):

# The following is suitable for dedicated web server, mail, ftp server etc. 
# ---------------------------------------
# BOOLEAN Values:
# a) 0 (zero) - disabled / no / false
# b) Non zero - enabled / yes / true
# --------------------------------------
 
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
 
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
 
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
 
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
 
# Controls the use of TCP syncookies
# Turn on SYN-flood protections
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 5
 
########## IPv4 networking start ##############
# Send redirects, if router, but this is just server
# So no routing allowed 
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
 
# Accept packets with SRR option? No
net.ipv4.conf.all.accept_source_route = 0
 
# Accept Redirects? No, this is not router
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
 
# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
 
# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1
 
# Prevent against the common 'syn flood attack'
net.ipv4.tcp_syncookies = 1
 
# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
 
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1 
 
########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0
 
# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0
 
# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0
 
# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0
 
#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0
 
#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0
 
# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1
 
########## IPv6 networking ends ##############
 
#Enable ExecShield protection
#Set value to 1 or 2 (recommended) 
#kernel.exec-shield = 2
#kernel.randomize_va_space=2
 
# TCP and memory optimization 
# increase TCP max buffer size setable using setsockopt()
#net.ipv4.tcp_rmem = 4096 87380 8388608
#net.ipv4.tcp_wmem = 4096 87380 8388608
 
# increase Linux auto tuning TCP buffer limits
#net.core.rmem_max = 8388608
#net.core.wmem_max = 8388608
#net.core.netdev_max_backlog = 5000
#net.ipv4.tcp_window_scaling = 1
 
# increase system file descriptor limit    
fs.file-max = 65535
 
#Allow for more PIDs 
kernel.pid_max = 65536
 
#Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
 
# RFC 1337 fix
net.ipv4.tcp_rfc1337=1

Reboot the machine soon after a kernel panic

Set the following kernel variable:

kernel.panic=10

Addresses of mmap base, heap, stack and VDSO page are randomized

kernel.randomize_va_space=2

Ignore bad ICMP errors

net.ipv4.icmp_ignore_bogus_error_responses=1

Protects against creating or following links under certain conditions

fs.protected_hardlinks=1
fs.protected_symlinks=1

How do I tune Linux VM subsystem?

How do I tune Linux network stack?

Other Linux security tips

Summing up

This page explained the Linux kernel security hardening settings using the /etc/sysctl.conf file.

References:

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

9 comments… add one
  • Philippe Petrinko Oct 28, 2009 @ 11:00

    Typo here ? : “execshild” => execshield ?

  • Cristiano Oct 31, 2009 @ 12:10

    kernel.panic = 10
    Use this to reboot a system after a 10 seconds of kernel panic. Its really usefull when it comes to servers.

    • msx Oct 28, 2013 @ 5:06

      Nice to know that, thank you!

  • Dave Mar 19, 2012 @ 16:27

    my question is their exec-shield works under debian and if you need to mount some additional package I have debian 6 squezze

  • Steven Iveson Jul 9, 2015 @ 11:32

    This is incorrect:

    #how many neighbor solicitations to send out per address?
    net.ipv6.conf.default.dad_transmits = 0

    dad_transmits relates to Duplicate Address Detection probes and I’d suggest a value of at least 1.

  • Scott Jan 29, 2016 @ 19:00

    This article was the 2nd rank on google, which is why I’m commenting on something so old.

    kernel.exec-shield = 1
    kernel.randomize_va_space = 1

    Both of these are bad values to use. Both should be 2! By default, on most distros, they are 2, so changing them to 1 will lower security!

  • Shivaranjani Feb 15, 2016 @ 9:39

    i just want to change the tcp coding in fedora kernel. where is the tcp file located and also i want the procedures to configure and install the modified linux kernel.

  • hooman Feb 12, 2023 @ 16:43

    Bro, realy nice article, thankyouuuuuu

  • Nestori Aug 19, 2023 @ 8:42

    I really enjoy reading about advanced topics like this. Thank you for sharing these Linux sysctl options.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.