/etc/sysctl.conf HardeningConfigure and control Linux kernel and networking settings through /etc/sysctl.conf for enhanced security.
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 1
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
fs.file-max = 65535
kernel.pid_max = 65536
net.ipv4.ip_local_port_range = 2000 65000
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
This can help prevent ping floods.
net.ipv4.icmp_echo_ignore_all = 1
If IPv6 is not in use, it can be disabled to reduce the attack surface.
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
Improve the robustness of the TCP/IP stack.
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
# Don't allow traffic between different interfaces
net.ipv4.conf.all.rp_filter = 1
# Control SYN cookies (prevent SYN flood attacks)
net.ipv4.tcp_synack_retries = 2
# Controls IP packet forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
Avoid denial-of-service attacks due to resource exhaustion.
# Increase number of incoming connections backlog
net.core.somaxconn = 4096
# Increase number of incoming connections
net.core.netdev_max_backlog = 4096
# Increase the maximum amount of option memory buffers
net.core.optmem_max = 65536
Additional network-related hardening.
# Time to wait (seconds) if an ARP request is not answered
net.ipv4.neigh.default.gc_stale_time = 60
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
Core dumps could potentially contain sensitive data and should be disabled unless needed for debugging.
fs.suid_dumpable = 0
Enhance protection against buffer overflow attacks.
kernel.randomize_va_space = 2
Prevent IP spoofing and bad source routing.
# Log packets with source addresses that don't match the interface
net.ipv4.conf.all.log_martians = 1
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0