Securing Ubuntu Linux with Sysctl

Sysctl is a tool to configure or modify kernel parameters at runtime. It is a way to fine tune the kernel, of course without the need to rebuild the kernel.

Sample Options:

Write variable from the command line (instead of editing the /etc/sysctl.conf file)

sysctl -w variable=value

Force to reload new configuration in /etc/sysctl.conf (without reboot).  It is for persistent configuration

sysctl -p

Load settings from all system configuration files below:
/run/sysctl.d/*.conf
/etc/sysctl.d/*.conf
/usr/local/lib/sysctl.d/*.conf
/usr/lib/sysctl.d/*.conf
/lib/sysctl.d/*.conf
/etc/sysctl.conf

sysctl –system

 

These are the following  Network Parameters recommendation for Sysctl. It can be found under the /etc/sysctl.conf file

1. ICMP Send Redirects should be disabled
-this is used to send routing information to other system or hosts. If your server does not act as the router, then send redirects should be disabled.

Execute these following commands to verify:

sysctl net.ipv4.conf.all.send_redirects
sysctl net.ipv4.conf.default.send_redirects
grep “net\.ipv4\.conf\.all\.send_redirects” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv4\.conf\.default\.send_redirects” /etc/sysctl.conf /etc/sysctl.d/*

Recommendation: Set it to disable or 0 for the /etc/sysctl.conf or /etc/sysctl.d/* files

sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.route.flush=1

2. ICMP Redirects should be disabled
-this is used to inform host/s of a more optimal route or alternate path through a network.

Execute these following commands to verify:

sysctl net.ipv4.conf.all.accept_redirects
sysctl net.ipv4.conf.default.accept_redirects
grep “net\.ipv4\.conf\.all\.accept_redirects” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv4\.conf\.default\.accept_redirects” /etc/sysctl.conf /etc/sysctl.d/*

Recommendation: Set it to disable or 0 for the /etc/sysctl.conf or /etc/sysctl.d/* files as it can be used maliciously for attacks, can alter the routing tables and send packets to incorrect networks.

sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.route.flush=1

3. ICMP Secure Redirects should be disabled
-same as ICMP redirects, but it comes from gateways listed on the default gateway list.

Execute these following commands to verify:

sysctl net.ipv4.conf.all.secure_redirects
sysctl net.ipv4.conf.default.secure_redirects
grep “net\.ipv4\.conf\.all\.secure_redirects” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv4\.conf\.default\.secure_redirects” /etc/sysctl.conf /etc/sysctl.d/*

Recommendation: Set it to disable or 0 for the /etc/sysctl.conf or /etc/sysctl.d/* files to protect system from routing table updates from compromised known gateways.

sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1

4. IP Forwarding should be disabled
-this is used to inform the system whether packet/s can be forwarded or not.

Execute these following commands to verify:

sysctl net.ipv4.ip_forward
grep -E -s “^\s*net\.ipv4\.ip_forward\s*=\s*1” /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf

Recommendation: Set it to disable or 0 for the /etc/sysctl.conf or /etc/sysctl.d/* files

sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.route.flush=1

5. Source Routed packets are not allowed
-source routing permits a sender to specify where the route packets take through the network.

Execute these following commands to verify:

 sysctl net.ipv4.conf.all.accept_source_route
sysctl net.ipv4.conf.default.accept_source_route
grep “net\.ipv6\.conf\.all\.accept_source_route” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv6\.conf\.default\.accept_source_route” /etc/sysctl.conf /etc/sysctl.d/*

Recommendation: Set it to disable or 0 for the system not to accept source routed packets.

sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0 
sysctl -w net.ipv4.route.flush=1

6.  Broadcast ICMP requests should be ignored
-pinging broadcast address via ICMP echo messsages to find hosts on the network

Execute these following commands to verify:

sysctl net.ipv4.icmp_echo_ignore_broadcasts
grep “net\.ipv4\.icmp_echo_ignore_broadcasts” /etc/sysctl.conf /etc/sysctl.d/*

Recommendation: Set it to enable or 1 to ignore ICMP echo requests to broadcast. This will prevent like Smurf attacks

sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.route.flush=1

7. Reverse Path Filtering should be enabled
-it determines if the received packet is valid or not. This is equivalent of uRPF or Unicast Reverse Path Filtering in Networking world

Execute these following commands to verify:

sysctl net.ipv4.conf.all.rp_filter
sysctl net.ipv4.conf.default.rp_filter
grep “net\.ipv4\.conf\.all\.rp_filter” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv4\.conf\.default\.rp_filter” /etc/sysctl.conf /etc/sysctl.d/*

Recommendation: Set it to enable or 1 to enable reverse path filtering

sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.route.flush=1

8. Bogus ICMP Error Responses should be ignored

Execute these following commands to verify:

sysctl net.ipv4.icmp_ignore_bogus_error_responses
grep “net.ipv4.icmp_ignore_bogus_error_responses” /etc/sysctl.conf /etc/sysctl.d/*

Recommendation: Set it to enable or 1 to prevent from logging bogus ICMP error responses as it will fill up your logs

sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.route.flush=1

9. IPv6 Router Advertisements (RAs)should not be accepted
– IPv6 RA can be used for IPv6 auto configuration and routing

Execute these following commands to verify:

sysctl net.ipv6.conf.all.accept_ra
sysctl net.ipv6.conf.default.accept_ra
grep “net\.ipv6\.conf\.all\.accept_ra” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv6\.conf\.default\.accept_ra” /etc/sysctl.conf /etc/sysctl.d/*

Recommendation: Set it to disable or 0 to not accept RAs

sysctl -w net.ipv6.conf.all.accept_ra=0
sysctl -w net.ipv6.conf.default.accept_ra=0
sysctl -w net.ipv6.route.flush=1

10.  TCP SYN Cookies should be enabled
– SYN Cookie is used to defend against SYN Flood attacks, preventing Denial of Service attacks.

Execute these following commands to verify:

sysctl net.ipv4.tcp_syncookies
grep “net\.ipv4\.tcp_syncookies” /etc/sysctl.conf /etc/sysctl.d/*

Recommendation: Set it to enable or 1

sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.route.flush=1

Note: The option -w  means write (can use –write also) which is use  when you want to change a sysctl setting.

About the author

Free Linux

View all posts

Leave a Reply