Sysctl is a tool to configure or modify kernel parameters at runtime. It is a way to fine tune the kernel, of course without the need to rebuild the kernel.
Sample Options:
Write variable from the command line (instead of editing the /etc/sysctl.conf file)
sysctl -w variable=value
Force to reload new configuration in /etc/sysctl.conf (without reboot). It is for persistent configuration
sysctl -p
Load settings from all system configuration files below:
/run/sysctl.d/*.conf
/etc/sysctl.d/*.conf
/usr/local/lib/sysctl.d/*.conf
/usr/lib/sysctl.d/*.conf
/lib/sysctl.d/*.conf
/etc/sysctl.conf
sysctl –system
These are the following Network Parameters recommendation for Sysctl. It can be found under the /etc/sysctl.conf file
1. ICMP Send Redirects should be disabled
-this is used to send routing information to other system or hosts. If your server does not act as the router, then send redirects should be disabled.
Execute these following commands to verify:
sysctl net.ipv4.conf.all.send_redirects
sysctl net.ipv4.conf.default.send_redirects
grep “net\.ipv4\.conf\.all\.send_redirects” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv4\.conf\.default\.send_redirects” /etc/sysctl.conf /etc/sysctl.d/*
Recommendation: Set it to disable or 0 for the /etc/sysctl.conf or /etc/sysctl.d/* files
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.route.flush=1
2. ICMP Redirects should be disabled
-this is used to inform host/s of a more optimal route or alternate path through a network.
Execute these following commands to verify:
sysctl net.ipv4.conf.all.accept_redirects
sysctl net.ipv4.conf.default.accept_redirects
grep “net\.ipv4\.conf\.all\.accept_redirects” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv4\.conf\.default\.accept_redirects” /etc/sysctl.conf /etc/sysctl.d/*
Recommendation: Set it to disable or 0 for the /etc/sysctl.conf or /etc/sysctl.d/* files as it can be used maliciously for attacks, can alter the routing tables and send packets to incorrect networks.
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.default.accept_redirects=0
sysctl -w net.ipv4.route.flush=1
3. ICMP Secure Redirects should be disabled
-same as ICMP redirects, but it comes from gateways listed on the default gateway list.
Execute these following commands to verify:
sysctl net.ipv4.conf.all.secure_redirects
sysctl net.ipv4.conf.default.secure_redirects
grep “net\.ipv4\.conf\.all\.secure_redirects” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv4\.conf\.default\.secure_redirects” /etc/sysctl.conf /etc/sysctl.d/*
Recommendation: Set it to disable or 0 for the /etc/sysctl.conf or /etc/sysctl.d/* files to protect system from routing table updates from compromised known gateways.
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1
4. IP Forwarding should be disabled
-this is used to inform the system whether packet/s can be forwarded or not.
Execute these following commands to verify:
sysctl net.ipv4.ip_forward
grep -E -s “^\s*net\.ipv4\.ip_forward\s*=\s*1” /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf
Recommendation: Set it to disable or 0 for the /etc/sysctl.conf or /etc/sysctl.d/* files
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.route.flush=1
5. Source Routed packets are not allowed
-source routing permits a sender to specify where the route packets take through the network.
Execute these following commands to verify:
sysctl net.ipv4.conf.all.accept_source_route
sysctl net.ipv4.conf.default.accept_source_route
grep “net\.ipv6\.conf\.all\.accept_source_route” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv6\.conf\.default\.accept_source_route” /etc/sysctl.conf /etc/sysctl.d/*
Recommendation: Set it to disable or 0 for the system not to accept source routed packets.
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.default.accept_source_route=0
sysctl -w net.ipv4.route.flush=1
6. Broadcast ICMP requests should be ignored
-pinging broadcast address via ICMP echo messsages to find hosts on the network
Execute these following commands to verify:
sysctl net.ipv4.icmp_echo_ignore_broadcasts
grep “net\.ipv4\.icmp_echo_ignore_broadcasts” /etc/sysctl.conf /etc/sysctl.d/*
Recommendation: Set it to enable or 1 to ignore ICMP echo requests to broadcast. This will prevent like Smurf attacks
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.route.flush=1
7. Reverse Path Filtering should be enabled
-it determines if the received packet is valid or not. This is equivalent of uRPF or Unicast Reverse Path Filtering in Networking world
Execute these following commands to verify:
sysctl net.ipv4.conf.all.rp_filter
sysctl net.ipv4.conf.default.rp_filter
grep “net\.ipv4\.conf\.all\.rp_filter” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv4\.conf\.default\.rp_filter” /etc/sysctl.conf /etc/sysctl.d/*
Recommendation: Set it to enable or 1 to enable reverse path filtering
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.default.rp_filter=1
sysctl -w net.ipv4.route.flush=1
8. Bogus ICMP Error Responses should be ignored
Execute these following commands to verify:
sysctl net.ipv4.icmp_ignore_bogus_error_responses
grep “net.ipv4.icmp_ignore_bogus_error_responses” /etc/sysctl.conf /etc/sysctl.d/*
Recommendation: Set it to enable or 1 to prevent from logging bogus ICMP error responses as it will fill up your logs
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.route.flush=1
9. IPv6 Router Advertisements (RAs)should not be accepted
– IPv6 RA can be used for IPv6 auto configuration and routing
Execute these following commands to verify:
sysctl net.ipv6.conf.all.accept_ra
sysctl net.ipv6.conf.default.accept_ra
grep “net\.ipv6\.conf\.all\.accept_ra” /etc/sysctl.conf /etc/sysctl.d/*
grep “net\.ipv6\.conf\.default\.accept_ra” /etc/sysctl.conf /etc/sysctl.d/*
Recommendation: Set it to disable or 0 to not accept RAs
sysctl -w net.ipv6.conf.all.accept_ra=0
sysctl -w net.ipv6.conf.default.accept_ra=0
sysctl -w net.ipv6.route.flush=1
10. TCP SYN Cookies should be enabled
– SYN Cookie is used to defend against SYN Flood attacks, preventing Denial of Service attacks.
Execute these following commands to verify:
sysctl net.ipv4.tcp_syncookies
grep “net\.ipv4\.tcp_syncookies” /etc/sysctl.conf /etc/sysctl.d/*
Recommendation: Set it to enable or 1
sysctl -w net.ipv4.tcp_syncookies=1
sysctl -w net.ipv4.route.flush=1
Note: The option -w means write (can use –write also) which is use when you want to change a sysctl setting.