<\/p>\n
sysctl<\/strong> is an interface that allows you to make changes to a running Linux kernel. With \/etc\/sysctl.conf<\/strong> you can configure various Linux networking and system settings such as:<\/p>\n The sysctl command is used to modify kernel parameters at runtime. \/etc\/sysctl.conf is a text file containing sysctl values to be read in and set by sysct at boot time. To view current values, enter:<\/p>\n Edit \/etc\/sysctl.conf and update it as follows. The file is documented with comments.<\/p>\n To use this settings paste the above sysctl variables in \/etc\/sysctl.conf<\/strong> and ask sysctl<\/strong> command to read and apply the newly added conf settings:<\/p>\n # Hopefully you should not get errors while applying the sysctl<\/strong> settings, if you get some errors, it\u2019s possible some of the variable is differently named (depending on the Linux kernel version) or the Linux distribution on which sysctl<\/strong> are implemented.<\/p>\n","protected":false},"excerpt":{"rendered":" sysctl is an interface that allows you to make changes to a running Linux kernel. With \/etc\/sysctl.conf you can configure various Linux networking and system settings such as: Limit network-transmitted configuration for IPv4 Limit network-transmitted configuration for IPv6 Turn on execshield protection Prevent against the common \u2018syn flood attack\u2019 Turn on source IP address … Continue reading Security Hardening Linux using sysctl.conf<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":873,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"slim_seo":{"title":"Security Hardening Linux using sysctl.conf - HP Server","description":" sysctl is an interface that allows you to make changes to a running Linux kernel. With \/etc\/sysctl.conf you can configure various Linux networking and sy"},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-871","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/871","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/comments?post=871"}],"version-history":[{"count":0,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/posts\/871\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media\/873"}],"wp:attachment":[{"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/media?parent=871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/categories?post=871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/easy-admin.ca\/index.php\/wp-json\/wp\/v2\/tags?post=871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
sysctl command<\/h2>\n
# sysctl -a
\n# sysctl -A
\n# sysctl net.ipv4.conf.all.rp_filter<\/code><\/p>\nSample \/etc\/sysctl.conf<\/h2>\n
# The following is suitable for dedicated web server, mail, ftp server etc.<\/strong> \r\n# ---------------------------------------\r\n# BOOLEAN Values:\r\n# a) 0 (zero) - disabled \/ no \/ false\r\n# b) Non zero - enabled \/ yes \/ true\r\n# --------------------------------------\r\n# Controls IP packet forwarding<\/strong>\r\nnet.ipv4.ip_forward = 0\r\n\u00a0\r\n# Controls source route verification<\/strong>\r\nnet.ipv4.conf.default.rp_filter = 1\r\n\u00a0\r\n# Do not accept source routing<\/strong>\r\nnet.ipv4.conf.default.accept_source_route = 0\r\n\u00a0\r\n# Controls the System Request debugging functionality of the kernel<\/strong>\r\nkernel.sysrq = 0\r\n\u00a0\r\n# Controls whether core dumps will append the PID to the core filename<\/strong>\r\n# Useful for debugging multi-threaded applications\r\nkernel.core_uses_pid = 1\r\n\u00a0\r\n# Controls the use of TCP syncookies<\/strong>\r\n# net.ipv4.tcp_syncookies = 1\r\nnet.ipv4.tcp_synack_retries = 2\r\n\u00a0\r\n########## IPv4 networking start<\/strong> ##############\r\n# Send redirects, if router, but this is just server<\/strong>\r\nnet.ipv4.conf.all.send_redirects = 0\r\nnet.ipv4.conf.default.send_redirects = 0\r\n\u00a0\r\n# Accept packets with SRR option? No<\/strong>\r\nnet.ipv4.conf.all.accept_source_route = 0\r\n\u00a0\r\n# Accept Redirects? No, this is not router<\/strong>\r\nnet.ipv4.conf.all.accept_redirects = 0\r\nnet.ipv4.conf.all.secure_redirects = 0\r\n\u00a0\r\n# Log packets with impossible addresses to kernel log? yes<\/strong>\r\nnet.ipv4.conf.all.log_martians = 1\r\nnet.ipv4.conf.default.accept_source_route = 0\r\nnet.ipv4.conf.default.accept_redirects = 0\r\nnet.ipv4.conf.default.secure_redirects = 0\r\n\u00a0\r\n# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast\/multicast<\/strong>\r\nnet.ipv4.icmp_echo_ignore_broadcasts = 1\r\n\u00a0\r\n# Prevent against the common 'syn flood attack'<\/strong>\r\nnet.ipv4.tcp_syncookies = 1\r\n\u00a0\r\n# Enable source validation by reversed path, as specified in RFC1812<\/strong>\r\nnet.ipv4.conf.all.rp_filter = 1\r\nnet.ipv4.conf.default.rp_filter = 1\r\n\u00a0\r\n########## IPv6 networking start<\/strong> ##############\r\n# Number of Router Solicitations to send until assuming no routers are present.<\/strong>\r\n# This is host and not router<\/strong>\r\nnet.ipv6.conf.default.router_solicitations = 0\r\n\u00a0\r\n# Accept Router Preference in RA?<\/strong>\r\nnet.ipv6.conf.default.accept_ra_rtr_pref = 0\r\n\u00a0\r\n# Learn Prefix Information in Router Advertisement<\/strong>\r\nnet.ipv6.conf.default.accept_ra_pinfo = 0\r\n\u00a0\r\n# Setting controls whether the system will accept Hop Limit settings from a router advertisement<\/strong>\r\nnet.ipv6.conf.default.accept_ra_defrtr = 0\r\n\u00a0\r\n# Router advertisements can cause the system to assign a global unicast address to an interface<\/strong>\r\nnet.ipv6.conf.default.autoconf = 0\r\n\u00a0\r\n# How many neighbor solicitations to send out per address?<\/strong>\r\nnet.ipv6.conf.default.dad_transmits = 0\r\n\u00a0\r\n# How many global unicast IPv6 addresses can be assigned to each interface?<\/strong>\r\nnet.ipv6.conf.default.max_addresses = 1\r\n\u00a0\r\n########## IPv6 networking ends<\/strong> ##############\r\n\u00a0\r\n# Enable ExecShield protection<\/strong>\r\nkernel.exec-shield = 1\r\nkernel.randomize_va_space = 1\r\n\u00a0\r\n# TCP and memory optimization<\/strong> \r\n# increase TCP max buffer size set using setsockopt()\r\n#net.ipv4.tcp_rmem = 4096 87380 8388608\r\n#net.ipv4.tcp_wmem = 4096 87380 8388608\r\n\u00a0\r\n# Increase Linux auto tuning TCP buffer limits<\/strong>\r\n#net.core.rmem_max = 8388608\r\n#net.core.wmem_max = 8388608\r\n#net.core.netdev_max_backlog = 5000\r\n#net.ipv4.tcp_window_scaling = 1\r\n\u00a0\r\n# Increase system file descriptor limit <\/strong> \r\nfs.file-max = 65535\r\n\u00a0\r\n# Allow for more PIDs<\/strong> \r\nkernel.pid_max = 65536\r\n\u00a0\r\n# Increase system IP port limits<\/strong>\r\nnet.ipv4.ip_local_port_range = 2000 65000<\/pre>\n
sysctl -p<\/code><\/p>\n