Kernel Parameters
Hardening the Security of Kernel Parameters
Description
Kernel parameters specify the status of network configurations and application privileges. The kernel provides system control which can be fine-tuned or configured by users. This function can improve the security of the OS by controlling configurable kernel parameters. For example, you can fine-tune or configure network options to improve system security.
Implementation
Write the hardening items in Table 1 to the /etc/sysctl.conf file.
NOTE:
Record security hardening items as follows:net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1
Table 1 Policies for hardening the security of kernel parameters
Run the following command to load the kernel parameters set in the sysctl.conf file:
sysctl -p /etc/sysctl.conf
Other Security Suggestions
net.ipv4.icmp_echo_ignore_all: ignores ICMP requests.
For security purposes, you are advised to enable this item. The default value is 0. Set the value to 1 to enable this item.
After this item is enabled, all incoming ICMP Echo request packets will be ignored, which will cause failure to ping the target host. Determine whether to enable this item based on your actual networking condition.
net.ipv4.conf.all.log_martians/net.ipv4.conf.default.log_martians: logs spoofed, source routed, and redirect packets.
For security purposes, you are advised to enable this item. The default value is 0. Set the value to 1 to enable this item.
After this item is enabled, data from forbidden IP addresses will be logged. Too many new logs will overwrite old logs because the total number of logs allowed is fixed. Determine whether to enable this item based on your actual usage scenario.
net.ipv4.tcp_timestamps: disables tcp_timestamps.
For security purposes, you are advised to disable tcp_timestamps. The default value is 1. Set the value to 0 to disable tcp_timestamps.
After this item is disabled, TCP retransmission timeout will be affected. Determine whether to disable this item based on the actual usage scenario.
net.ipv4.tcp_max_syn_backlog: determines the number of queues that is in SYN_RECV state.
This parameter determines the number of queues that is in SYN_RECV state. When this number is exceeded, new TCP connection requests will not be accepted. This to some extent prevents system resource exhaustion. Configure this parameter based on your actual usage scenario.