Linux Kernel sysctl Hardening

Warning: !! PROCEED AT YOUR OWN RISK !!

Proceed At Your Own Risk

This sections cover things that are high risk because there is a possibility they can make your system unusable, or are considered unnecessary by many because the risks outweigh any rewards.

Why harden the security of the Linux kernel

The kernel is the brains of a Linux system. Securing it just makes sense. On the other hand, changing kernel settings with sysctl is risky and could break your server. If you don’t know what you are doing, don’t have the time to debug issues, or just don’t want to take the risks, I would advise from not following these steps.

Disclaimer

I am not as knowledgeable about hardening/securing a Linux kernel as I’d like. As much as I hate to admit it, I do not know what all of these settings do. My understanding is that most of them are general kernel hardening and performance, and the others are to protect against spoofing and DOS attacks.

In fact, since I am not 100% sure exactly what each setting does, I took recommended settings from numerous sites (all linked in the references below) and combined them to figure out what should be set. I figure if multiple reputable sites mention the same setting, it’s probably safe.

Notes

  • Documentation on all the sysctl settings/keys is severely lacking. The documentation I can find seems to reference the 2.2 version kernel. I could not find anything newer.
  • The reference sites listed below have more comments on what each setting does.

Steps - How to Secure sysctl

  1. The sysctl settings can be found in the linux-kernel-sysctl-hardening.md file.

  2. Before you make a kernel sysctl change permanent, you can test it with the sysctl command:

     sudo sysctl -w [key=value]
    

    Example:

     sudo sysctl -w kernel.ctrl-alt-del=0
    

    Note: There are no spaces in key=value, including before and after the space.

  3. Once you have tested a setting, and made sure it works without breaking your server, you can make it permanent by adding the values to /etc/sysctl.conf. For example:

     $ sudo cat /etc/sysctl.conf
     kernel.ctrl-alt-del = 0
     fs.file-max = 65535
     ...
     kernel.sysrq = 0
    
  4. After updating the file you can reload the settings or reboot. To reload:

     sudo sysctl -p
    

Note: If sysctl has trouble writing any settings then sysctl -w or sysctl -p will write an error to stderr. You can use this to quickly find invalid settings in your /etc/sysctl.conf file:

sudo sysctl -p >/dev/null

Licenses and Attributions


Speak Your Mind