Sysctl Conf

/etc/sysctl.conf file is used to configure kernel parameters at runtime. Linux reads and applies settings from this file.

These settings can:

• Limit network-transmitted configuration for IPv4
• Limit network-transmitted configuration for IPv6
• Turn on execshield protection
• Prevent against the common 'syn flood attack'
• Turn on source IP address verification
• Prevents a cracker from using a spoofing attack against the IP address of the server.
• Logs several types of suspicious packets, such as spoofed packets, source-routed packets, and redirects.

You can configure various Linux networking and system settings such as:

sudo vi /etc/sysctl.conf

Find and edit each setting:

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

# Accept Redirects? No, this is not router
net.ipv4.conf.all.secure_redirects = 0

# Log packets with impossible addresses to kernel log? yes
net.ipv4.conf.default.secure_redirects = 0

#Enable ExecShield protection
kernel.exec-shield = 1
kernel.randomize_va_space = 1

########## IPv6 networking start ##############
# Number of Router Solicitations to send until assuming no routers are present.
# This is host and not router
net.ipv6.conf.default.router_solicitations = 0

# Accept Router Preference in RA?
net.ipv6.conf.default.accept_ra_rtr_pref = 0

# Learn Prefix Information in Router Advertisement
net.ipv6.conf.default.accept_ra_pinfo = 0

# Setting controls whether the system will accept Hop Limit settings from a router advertisement
net.ipv6.conf.default.accept_ra_defrtr = 0

#router advertisements can cause the system to assign a global unicast address to an interface
net.ipv6.conf.default.autoconf = 0

#how many neighbor solicitations to send out per address?
net.ipv6.conf.default.dad_transmits = 0

# How many global unicast IPv6 addresses can be assigned to each interface?
net.ipv6.conf.default.max_addresses = 1

########## IPv6 networking ends ##############

# Other settings
net.ipv4.icmp_ratelimit 100
net.ipv4.icmp_ratemask 88089
net.ipv4.tcp_timestamps 0
net.ipv4.conf.all.arp_ignore 1
net.ipv4.conf.all.arp_announce 2
net.ipv4.tcp_rfc1337 1
net.ipv4.conf.all.shared_media 1
net.ipv4.conf.default.shared_media 1
net.ipv6.conf.all.forwarding 0
net.ipv6.conf.all.accept_ra 0
net.ipv6.conf.default.accept_ra 0
kernel.sysrq 0
fs.suid_dumpable 0

Apply new settings:

sudo sysctl -p