Changing certain network parameters will help us secure our networks and hosts. These parameters live in the "/etc/sysctl.conf" configuration file.
If our Linux machine is not a router, we could disable the forwarding of the packets as follows:
We could disable the ICMP redirects. An ICMP redirect message is an "unsolicited" message that lets a host know about alternative routes on the network:
We also disable the "secure" ICMP redirect messages coming from routers that are on an interface's "trusted list" of gateways using the below parameters:
We could also disable the replies to broadcastICMP ECHO requests using the below parameter:
To prevent syncookies SYN flood attack, which consists of opening multiple connections on a host to drain its resources, we use the below parameter:
To ignore SRR - source routed - requests in which the sender decides the route that a packet is going to take, we use the below options:
Incoming packets with a source IP address that an interface has no clue about routing are dropped when we use the below parameter:
The below settings rejects ICMP redirect messages so that the routing tables could no be altered by redirect packets coming from outside:
To be able to log spoofed, SRR - source routed -, and ICMP redirects packets, we use the below parameters:
After changing the above values, we will see them reflected in the virtual "/proc" filesystem, which will contain the same values as the "sysctl.conf" file.
For these changes to survive a reboot, we create a new file - with the above options - in the "/etc/sysctl.d" directory.
The name of our file needs to start with two digits that will define its "priority".
For example, we could create a file named "77-network_secure.conf"
in the "/etc/sysctl.d" directory and put the above parameters in it:
Below is an example of the contents of the "/etc/sysctl.d" directory:
The numbers appended at the beginning of each file are meant to make the sorting of the files easier, so if a parameter is defined in two different files, the parameter in the "latest" file will be taken into account - it will override the same parameter in the previous file-.