Long-Term Supported Versions

    Kernel Parameters

    Hardening the Security of Kernel Parameters

    Description

    Kernel parameters specify the status of network configurations and application privileges. The kernel provides system control which can be fine-tuned or configured by users. This function can improve the security of the OS by controlling configurable kernel parameters. For example, you can fine-tune or configure network options to improve system security.

    Implementation

    1. Write the hardening items in Table 1 to the /etc/sysctl.conf file.

      NOTE:
      Record security hardening items as follows:

      net.ipv4.icmp_echo_ignore_broadcasts = 1  
      net.ipv4.conf.all.rp_filter = 1  
      net.ipv4.conf.default.rp_filter = 1  
      

      Table 1 Policies for hardening the security of kernel parameters

      Item

      Description

      Suggestion

      Configured as Suggested

      net.ipv4.icmp_echo_ignore_broadcasts

      Specifies whether ICMP broadcast packets are accepted. They are not accepted according to the hardening policy.

      1

      Yes

      net.ipv4.conf.all.rp_filter

      Specifies whether the actual source IP address used by a data packet is related to a routing table and whether the data packet receives responses through interfaces. The item is enabled according to the hardening policy.

      1

      Yes

      net.ipv4.conf.default.rp_filter

      1

      Yes

      net.ipv4.ip_forward

      The IP forwarding function prevents unauthorized IP address packets from being transferred to a network. The item is disabled according to the hardening policy.

      0

      Yes

      net.ipv4.conf.all.accept_source_route

      accept_source_route indicates that a packet sender can specify a path for sending the packet and a path for receiving a response. The item is disabled according to the hardening policy.

      0

      Yes

      net.ipv4.conf.default.accept_source_route

      0

      Yes

      net.ipv4.conf.all.accept_redirects

      Specifies whether a redirected ICMP packet is sent. The packet is not sent according to the hardening policy.

      0

      Yes

      net.ipv4.conf.default.accept_redirects

      0

      Yes

      net.ipv6.conf.all.accept_redirects

      0

      Yes

      net.ipv6.conf.default.accept_redirects

      0

      Yes

      net.ipv4.conf.all.send_redirects

      Specifies whether a redirected ICMP packet is sent to another server. This item is enabled only when the host functions as a route. The item is disabled according to the hardening policy.

      0

      Yes

      net.ipv4.conf.default.send_redirects

      0

      Yes

      net.ipv4.icmp_ignore_bogus_error_responses

      Fake ICMP packets are not recorded to logs, which saves disk space. The item is enabled according to the hardening policy.

      1

      Yes

      net.ipv4.tcp_syncookies

      SYN attack is a DoS attack that forces system restart by occupying system resources. TCP-SYN cookie protection is enabled according to the hardening policy.

      1

      Yes

      kernel.dmesg_restrict

      Hardens dmesg messages. Only the administrator is allowed to view the messages.

      1

      Yes

      kernel.sched_autogroup_enabled

      Determines whether the kernel automatically groups and schedules threads. After this item is enabled, scheduling groups compete for time slices, and threads in a scheduling group compete for the time slices allocated to the scheduling group. The item is disabled according to the hardening policy.

      0

      No

      kernel.sysrq

      Disables the magic key.

      NOTE:

      You are advised to disable the magic key so that commands cannot be directly passed to the kernel.

      0

      Yes

      net.ipv4.conf.all.secure_redirects

      Specifies whether redirected ICMP messages sent from any servers or from gateways listed in the default gateway list are accepted. Redirected ICMP messages are received from any servers according to the hardening policy.

      0

      Yes

      net.ipv4.conf.default.secure_redirects

      0

      Yes

    2. Run the following command to load the kernel parameters set in the sysctl.conf file:

      sysctl -p  /etc/sysctl.conf
      

    Other Security Suggestions

    • net.ipv4.icmp_echo_ignore_all: ignores ICMP requests.

      For security purposes, you are advised to enable this item. The default value is 0. Set the value to 1 to enable this item.

      After this item is enabled, all incoming ICMP Echo request packets will be ignored, which will cause failure to ping the target host. Determine whether to enable this item based on your actual networking condition.

    • net.ipv4.conf.all.log_martians/net.ipv4.conf.default.log_martians: logs spoofed, source routed, and redirect packets.

      For security purposes, you are advised to enable this item. The default value is 0. Set the value to 1 to enable this item.

      After this item is enabled, data from forbidden IP addresses will be logged. Too many new logs will overwrite old logs because the total number of logs allowed is fixed. Determine whether to enable this item based on your actual usage scenario.

    • net.ipv4.tcp_timestamps: disables tcp_timestamps.

      For security purposes, you are advised to disable tcp_timestamps. The default value is 1. Set the value to 0 to disable tcp_timestamps.

      After this item is disabled, TCP retransmission timeout will be affected. Determine whether to disable this item based on the actual usage scenario.

    • net.ipv4.tcp_max_syn_backlog: determines the number of queues that is in SYN_RECV state.

      This parameter determines the number of queues that is in SYN_RECV state. When this number is exceeded, new TCP connection requests will not be accepted. This to some extent prevents system resource exhaustion. Configure this parameter based on your actual usage scenario.

    Bug Catching

    Buggy Content

    Bug Description

    Submit As Issue

    It's a little complicated....

    I'd like to ask someone.

    PR

    Just a small problem.

    I can fix it online!

    Bug Type
    Specifications and Common Mistakes

    ● Misspellings or punctuation mistakes;

    ● Incorrect links, empty cells, or wrong formats;

    ● Chinese characters in English context;

    ● Minor inconsistencies between the UI and descriptions;

    ● Low writing fluency that does not affect understanding;

    ● Incorrect version numbers, including software package names and version numbers on the UI.

    Usability

    ● Incorrect or missing key steps;

    ● Missing prerequisites or precautions;

    ● Ambiguous figures, tables, or texts;

    ● Unclear logic, such as missing classifications, items, and steps.

    Correctness

    ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

    ● Incorrect schematic or architecture diagrams;

    ● Incorrect commands or command parameters;

    ● Incorrect code;

    ● Commands inconsistent with the functions;

    ● Wrong screenshots.

    Risk Warnings

    ● Lack of risk warnings for operations that may damage the system or important data.

    Content Compliance

    ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

    ● Copyright infringement.

    How satisfied are you with this document

    Not satisfied at all
    Very satisfied
    Submit
    Click to create an issue. An issue template will be automatically generated based on your feedback.
    Bug Catching
    编组 3备份