Linux 101 : Hardening the network - The kernel Sysctl parameters -

Changing certain network parameters will help us secure our networks and hosts.
These parameters live in the "/etc/sysctl.conf" configuration file.

If our Linux machine is not a router, we could disable the forwarding of the packets as follows:

We could disable the ICMP redirects. An ICMP redirect message is an "unsolicited" message that lets a host know about alternative routes on the network:

We also disable the "secure" ICMP redirect messages coming from routers that are on an interface's "trusted list" of gateways using the below parameters:

We could also disable the replies to broadcast ICMP ECHO requests using the below parameter:

To prevent syncookies SYN flood attack, which consists of opening multiple connections on a host to drain its resources, we use the below parameter:

To ignore SRR - source routed - requests in which the sender decides the route that a packet is going to take, we use the below options:

Incoming packets with a source IP address that an interface has no clue about routing are dropped when we use the below parameter:

The below settings rejects ICMP redirect messages so that the routing tables could no be altered by redirect packets coming from outside:

To be able to log spoofed, SRR - source routed -, and ICMP redirects packets, we use the below parameters:

After changing the above values, we will see them reflected in the virtual "/proc" filesystem, which will contain the same values as the "sysctl.conf" file.

For these changes to survive a reboot, we create a new file - with the above options - in the "/etc/sysctl.d" directory.

The name of our file needs to start with two digits that will define its "priority". 
For example, we could create a file named "77-network_secure.conf"
in the "/etc/sysctl.d" directory and put the above parameters in it:

Below is an example of the contents of the "/etc/sysctl.d" directory:

The numbers appended at the beginning of each file are meant to make the sorting of the files easier, so if a parameter is defined in two different files, the parameter in the "latest" file will be taken into account - it will override the same parameter in the previous file-.


Leave as a comment: