Linux

How to properly secure sysctl on Linux

How to properly secure sysctl on Linux

Protecting your Linux server from SYN attacks and IP spoofing is not as difficult as you think. Jack Wallen shows the way.

The sysctl system allows you to make changes to the running Linux kernel. This utility reads and modifies various kernel attributes, such as version number, maximum limit, and a number of security settings.

The sysctl system also allows you to prevent things like SYN flood attacks and IP address spoofing. It also records several types of suspicious packages – fake packages, source-directed packages, and redirects.

You can modify kernel parameters at runtime with the sysctl command or you can make changes in the system configuration file so that the changes are more permanent.

I want to show you how you can secure sysctl by editing the configuration file quickly. This configuration will:

  • Disable IP forwarding
  • Disable Send Package Redirect
  • Disable Acceptance of ICMP Redirects
  • Enable Bad Error Message Protection

What do you need

  • Example of running Linux
  • A user with sudo privileges

I will show Ubuntu Server 18.04, but the process is the same in almost all Linux distributions.

How to edit a sysctl configuration file

Enter your Linux server or desktop and open a terminal window. From that terminal, give the command:

sudo nano /etc/sysctl.conf

The first option to look for is:

#net.ipv4.ip_forward=1

Change the line to:

net.ipv4.ip_forward=0

The next line to be edited is:

#net.ipv4.conf.all.send_redirects = 0

Change it to:

net.ipv4.conf.all.send_redirects = 0

Add the following lines below it:

net.ipv4.conf.default.send_redirects = 0

Look for the line:

#net.ipv4.conf.all.accept_redirects = 0

Change it to:

net.ipv4.conf.all.accept_redirects = 0

Add the following lines below it:

net.ipv4.conf.default.accept_redirects = 0

Finally, add the following lines to the bottom of the file:

net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45

The line above does the following:

  • Enable Bad Error Message Protection
  • Enable the SYN cookie to ensure the server avoids dropping connections when the SYN queue is filled
  • Increase the size of the SYS backlog queue to 2048
  • close the previous SYN_RECV status connection
  • Decrease the timeout value for SYN_RECV to help reduce SYN flood attacks

Save and close the file.

How to reload the configuration

You can reload the command configuration problem:

sudo sysctl -p

One warning for the sysctl -p command is that I found it doesn’t load tcp_max_syn_backlog correctly. It wasn’t until rebooting that the value of 2048 was added. So, after running the sudo sysctl -p command, run the command:

sudo less /proc/sys/net/ipv4/tcp_max_syn_backlog

Make sure the value presented is 2048.

If the value is less than that, reboot the server.

At this point, your Linux server should be better protected from SYN attacks and IP address spoofing. Enjoy the new security.

Related posts

How to Install Ubuntu on a Raspberry Pi

Linux

How to install CMake on Ubuntu

Linux

How to install Lightworks on Ubuntu

Linux

How to Install MySQL on Ubuntu 20.04

Linux

How to Install PostgreSQL and phpPgAdmin on Ubuntu 20.04 LTS

Linux

How to Activate SSH on Ubuntu 20.04

Linux

How to Install PyroCMS with Nginx and Let’s Encrypt SSL on CentOS 8

Linux

How to Install Python Pip on Ubuntu 20.04

Linux

How to Install Vagrant on Ubuntu 20.04

Linux