Ubuntu Unleashed: Howto: Harden the Ubuntu Linux Kernel with sysctl

Howto: Harden the Ubuntu Linux Kernel with sysctl

Labels: Harden Ubuntu Kernel, Howto, Privacy And Security, sysctl, Tweaks Posted by defcon on Sunday, April 20, 2008 at 8:27 AM

I ran across a nice sysctl.conf file that will help secure your computer and prevent many different attacks on your computer like Man In the Middle Attacks, Syn attacks, source routing scans/attacks, spoofing protection/logging, and many others, read below.

Lets Harden our kernel:
sudo gedit /etc/sysctl.conf
Now lets paste the following example below then ctrl-s save and exit
After you make the changes to the file lets apply the changes without a reboot:
sysctl -p sysctl -w net.ipv4.route.flush=1
Example:
# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 0 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 #Prevent SYN attack net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 # Disables packet forwarding net.ipv4.ip_forward=0 # Disables IP source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.lo.log_martians = 1 net.ipv4.conf.eth0.log_martians = 1 # Disables IP source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.lo.accept_source_route = 0 net.ipv4.conf.eth0.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Enable IP spoofing protection, turn on source route verification net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Disable ICMP Redirect Acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 # Disables the magic-sysrq key kernel.sysrq = 0 # Modify system limits for Ensim WEBppliance fs.file-max = 65000 # Decrease the time default value for tcp_fin_timeout connection net.ipv4.tcp_fin_timeout = 15 # Decrease the time default value for tcp_keepalive_time connection net.ipv4.tcp_keepalive_time = 1800 # Turn off the tcp_window_scaling net.ipv4.tcp_window_scaling = 0 # Turn off the tcp_sack net.ipv4.tcp_sack = 0 # Turn off the tcp_timestamps net.ipv4.tcp_timestamps = 0 # Enable TCP SYN Cookie Protection net.ipv4.tcp_syncookies = 1 # Enable ignoring broadcasts request net.ipv4.icmp_echo_ignore_broadcasts = 1 # Enable bad error message Protection net.ipv4.icmp_ignore_bogus_error_responses = 1 # Log Spoofed Packets, Source Routed Packets, Redirect Packets net.ipv4.conf.all.log_martians = 1 # Set maximum amount of memory allocated to shm to 256MB kernel.shmmax = 268435456 # Improve file system performance vm.bdflush = 100 1200 128 512 15 5000 500 1884 2 # Improve virtual memory performance vm.buffermem = 90 10 60 # Increases the size of the socket queue (effectively, q0). net.ipv4.tcp_max_syn_backlog = 1024 # Increase the maximum total TCP buffer-space allocatable net.ipv4.tcp_mem = 57344 57344 65536 # Increase the maximum TCP write-buffer-space allocatable net.ipv4.tcp_wmem = 32768 65536 524288 # Increase the maximum TCP read-buffer space allocatable net.ipv4.tcp_rmem = 98304 196608 1572864 # Increase the maximum and default receive socket buffer size net.core.rmem_max = 524280 net.core.rmem_default = 524280 # Increase the maximum and default send socket buffer size net.core.wmem_max = 524280 net.core.wmem_default = 524280 # Increase the tcp-time-wait buckets pool size net.ipv4.tcp_max_tw_buckets = 1440000 # Allowed local port range net.ipv4.ip_local_port_range = 16384 65536 # Increase the maximum memory used to reassemble IP fragments net.ipv4.ipfrag_high_thresh = 512000 net.ipv4.ipfrag_low_thresh = 446464 # Increase the maximum amount of option memory buffers net.core.optmem_max = 57344 # Increase the maximum number of skb-heads to be cached net.core.hot_list_length = 1024 ## DO NOT REMOVE THE FOLLOWING LINE! ## nsobuild:20051206

The above script was found here

Is there any other sysctl settings worth mentioning for hardening?

Comments (14)

Logging you in...

Dashboard | Edit profile | Logout

Logged in as

0 Vote up Vote down

pezmanlou · 884 weeks ago

I did this but the sysctl -p command gave me some errors among the other stuff it spit out

error: "vm.bdflush" is an unknown key

error: "vm.buffermem" is an unknown key

error: "net.core.hot_list_length" is an unknown key

any ideas?

0 Vote up Vote down

Mark Presotn · 883 weeks ago

Way Cool!!! I received the same 3 errors and am ignoring them. RIP viruses, Malware, Trojans, bla bla

0 Vote up Vote down

defcon 52p · 883 weeks ago

i especially like this sysctl file because it disables man in the middle attacks and effectively disables attacks with ettercap, so I can feel safe using public wifi

0 Vote up Vote down

BilliShere · 881 weeks ago

wow not bad.. i wasnt clear on whether you erase everything and then put all this in the file or just additionally paste this is.. thank god i used some common sense and additionally pasted in the stuff above.. lol

THAnks for the tip! great to be a little safer.

0 Vote up Vote down

Rob van den Bogaard · 874 weeks ago

Note that in this file several duplicate entries occur: for instance net.ipv4.tcp_max_syn_backlog is first set to 2048 and further down the file it's set to 1024...

0 Vote up Vote down

Brian · 873 weeks ago

Great advice, thanks for sharing! =)

0 Vote up Vote down

lanthanio · 873 weeks ago

I suggest to check accurately when applying some configurations, wrong settings could mess or screw up your box, specially with these kind of sys config files. Don't just copy&paste without have an idea of what your are doing, wait few little experienced users had already applied them and see their results. and advices ;)

0 Vote up Vote down

Phil · 853 weeks ago

A few more suggestions...Not network-based but to protect the kernel stack.

## Stack protection
kernel.exec-shield=1
kernel.randomize_va_space=1

# Disable suid binaries from core dumps
fs.suid_dumpable=0

+1 Vote up Vote down

Sadicote 1p · 848 weeks ago

Hi, i pasted the example, saved and exited, the commands to apply the changes however, gave me this: sade@sade-desktop:~$ sysctl -p
error: permission denied on key 'net.core.rmem_max'
error: permission denied on key 'net.core.wmem_max'
error: permission denied on key 'net.ipv4.tcp_rmem'
error: permission denied on key 'net.ipv4.tcp_wmem'
error: permission denied on key 'net.ipv4.tcp_no_metrics_save'
error: permission denied on key 'net.ipv4.tcp_moderate_rcvbuf'
error: permission denied on key 'net.core.netdev_max_backlog'
error: permission denied on key 'net.ipv4.tcp_sack'
error: permission denied on key 'net.ipv4.tcp_window_scaling'
error: permission denied on key 'net.ipv4.ip_forward'
error: permission denied on key 'net.ipv4.conf.default.rp_filter'
error: permission denied on key 'kernel.sysrq'
error: permission denied on key 'kernel.core_uses_pid'
error: permission denied on key 'net.ipv4.tcp_syncookies'
error: permission denied on key 'net.ipv4.tcp_max_syn_backlog'
error: permission denied on key 'net.ipv4.tcp_synack_retries'
error: permission denied on key 'net.ipv4.ip_forward'
error: permission denied on key 'net.ipv4.conf.all.accept_source_route'
error: permission denied on key 'net.ipv4.conf.lo.accept_source_route'
error: permission denied on key 'net.ipv4.conf.eth0.accept_source_route'
error: permission denied on key 'net.ipv4.conf.default.accept_source_route'
error: permission denied on key 'net.ipv4.conf.all.rp_filter'
error: permission denied on key 'net.ipv4.conf.lo.rp_filter'
error: permission denied on key 'net.ipv4.conf.eth0.rp_filter'
error: permission denied on key 'net.ipv4.conf.default.rp_filter'
error: permission denied on key 'net.ipv4.conf.all.accept_redirects'
error: permission denied on key 'net.ipv4.conf.lo.accept_redirects'
error: permission denied on key 'net.ipv4.conf.eth0.accept_redirects'
error: permission denied on key 'net.ipv4.conf.default.accept_redirects'
error: permission denied on key 'net.ipv4.conf.all.log_martians'
error: permission denied on key 'net.ipv4.conf.lo.log_martians'
error: permission denied on key 'net.ipv4.conf.eth0.log_martians'
error: permission denied on key 'net.ipv4.conf.all.accept_source_route'
error: permission denied on key 'net.ipv4.conf.lo.accept_source_route'
error: permission denied on key 'net.ipv4.conf.eth0.accept_source_route'
error: permission denied on key 'net.ipv4.conf.default.accept_source_route'
error: permission denied on key 'net.ipv4.conf.all.rp_filter'
error: permission denied on key 'net.ipv4.conf.lo.rp_filter'
error: permission denied on key 'net.ipv4.conf.eth0.rp_filter'
error: permission denied on key 'net.ipv4.conf.default.rp_filter'
error: permission denied on key 'net.ipv4.conf.all.accept_redirects'
error: permission denied on key 'net.ipv4.conf.lo.accept_redirects'
error: permission denied on key 'net.ipv4.conf.eth0.accept_redirects'
error: permission denied on key 'net.ipv4.conf.default.accept_redirects'
error: permission denied on key 'kernel.sysrq'
error: permission denied on key 'fs.file-max'
error: permission denied on key 'net.ipv4.tcp_fin_timeout'
error: permission denied on key 'net.ipv4.tcp_keepalive_time'
error: permission denied on key 'net.ipv4.tcp_window_scaling'
error: permission denied on key 'net.ipv4.tcp_sack'
error: permission denied on key 'net.ipv4.tcp_timestamps'
error: permission denied on key 'net.ipv4.tcp_syncookies'
error: permission denied on key 'net.ipv4.icmp_echo_ignore_broadcasts'
error: permission denied on key 'net.ipv4.icmp_ignore_bogus_error_responses'
error: permission denied on key 'net.ipv4.conf.all.log_martians'
error: permission denied on key 'kernel.shmmax'
error: "vm.bdflush" is an unknown key
error: "vm.buffermem" is an unknown key
error: permission denied on key 'net.ipv4.tcp_max_syn_backlog'
error: permission denied on key 'net.ipv4.tcp_mem'
error: permission denied on key 'net.ipv4.tcp_wmem'
error: permission denied on key 'net.ipv4.tcp_rmem'
error: permission denied on key 'net.core.rmem_max'
error: permission denied on key 'net.core.rmem_default'
error: permission denied on key 'net.core.wmem_max'
error: permission denied on key 'net.core.wmem_default'
error: permission denied on key 'net.ipv4.tcp_max_tw_buckets'
error: permission denied on key 'net.ipv4.ip_local_port_range'
error: permission denied on key 'net.ipv4.ipfrag_high_thresh'
error: permission denied on key 'net.ipv4.ipfrag_low_thresh'
error: permission denied on key 'net.core.optmem_max'
error: "net.core.hot_list_length" is an unknown key
sade@sade-desktop:~$ sysctl -w net.ipv4.route.flush=1
error: permission denied on key 'net.ipv4.route.flush'
sade@sade-desktop:~$

1 reply · active 847 weeks ago

+1 Vote up Vote down