25 Improving Network Security with sysctl
Variables #
Sysctl (system control) variables control certain kernel parameters that
influence the behavior of different parts of the operating system, for example
the Linux network stack. These parameters can be looked up in the
proc
file system, in /proc/sys
. Many
kernel parameters can be changed directly by writing a new value into a
parameter pseudo file. However, these changes are not persisted and are lost
after a system reboot. Therefore it is recommended to configure all changes in
a sysctl configuration file to have them applied at every system start.
In this chapter, a number of networking related variables will be configured
that improve the security features of Linux. Depending on the presence of a
firewall and its settings, some of the variables listed here will already
have the safe values by default. You can check the current value of a setting
by using the sysctl
utility like this:
>
/sbin/sysctl net.ipv4.conf.all.rp_filter
net.ipv4.conf.all.rp_filter = 2
To apply the following settings, create a configuration file
/etc/sysctl.d/
. The file needs to end with a
.conf
suffix, for example
/etc/sysctl.d/network.conf
. For details, refer to
man 5 sysctl.d
.
Set the variables from the following list as appropriate for your environment.
# the default setting for this is 2 (loose mode) net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1
This setting enables the IPv4 reverse path filter in strict mode. It ensures that answers to incoming IP packets are always sent out via the interface from that the packets have been received. If the system would direct answer packets to a different outgoing interface according to the routing table, these packets would be discarded. The setting prevents certain kinds of IP spoofing attacks that are e.g. used for distributed denial-of-service (DDoS) attacks.
# the default setting for this should already be 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_source_route = 0
This setting disables the acceptance of packets with the
SSR
option set in the IPv4 packet header. Packets that use Source Routing will be rejected. This prevents IP packet redirection, that is redirection to a host behind a firewall, that is not directly reachable otherwise.# the default setting for this should already be 1 net.ipv4.tcp_syncookies = 1
This enables TCP SYN Cookie Protection for IPv4 and IPv6. It addresses a specific denial-of-service attack on the TCP protocol level. The protection involves a small CPU trade-off in favor of avoiding memory exhaustion caused by attackers. The protection mechanism consists of a fallback algorithm that only comes into play when no further TCP connections can be accepted the normal way. The mechanism is not fully TCP protocol compliant and can thus cause protocol issues in some TCP contexts. The alternative would be to drop additional connections completely in overload scenarios. This also needs a differentiation between legitimate high TCP load and an TCP denial-of-service attack. If you expect a high load of TCP connections on your system, then this setting could be counterproductive.
# default is 128 net.ipv4.tcp_max_syn_backlog = 4096
The TCP SYN backlog defines the number of SYN packets that are queued for further processing. Once the queue limit is exceeded, all new incoming SYN-packets are dropped and new TCP connections will not be possible (or the SYN cookie protection kicks in). Increasing this value improves the protection against TCP SYN flood attacks.
# the default setting for this should already be 1 net.ipv4.icmp_echo_ignore_broadcasts = 1
ICMP echo requests (ping) can be sent to an IPv4 broadcast address in order to scan a network for existing hosts / IP addresses or to perform a ICMP flood within a network segment. This setting causes the networking stack to ignore ICMP echo packets sent to a broadcast address.
# the default setting for this should already be 1 net.ipv4.icmp_ignore_bogus_error_responses = 1
This setting avoids filling up log files with unnecessary error messages coming from invalid responses to broadcast frames. Refer to RFC 1122 Requirements for Internet Hosts -- Communication Layers Section 3.2.2 for more information.
# default should already be 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0
Disables the acceptance of ICMP redirect messages. These messages are usually sent by gateways to inform a host about a better route to an outside network. These redirects can be misused for man-in-the-middle attacks.
net.ipv4.conf.default.secure_redirects = 0 net.ipv4.conf.all.secure_redirects = 0
Accepting 'secure' ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required.
net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.send_redirects = 0
A node should not send out IPv4 ICMP redirects, unless it acts as a router.
# default should already be 0 net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 net.ipv6.conf.default.forwarding = 0
IP forwarding should only be enabled on systems acting as routers.