How to properly secure sysctl on Linux

Protecting your Linux servers against SYN attacks and IP spoofing isn't nearly as hard you think. Jack Wallen shows you how.

Computer system protection, database security, safe internet. Lock symbol on abstract computer data background programming binary code, data protection technology. Vector illustration

Getty Images/iStockphoto

The sysctl system allows you to make changes to a running Linux kernel. This utility reads and modifies various attributes of the kernel, such as version number, maximum limits, and a number of security settings. 

The sysctl system also allows you to prevent things like SYN flood attacks and IP address spoofing. It also logs several types of suspicious packets--spoofed packets, source-routed packets, and redirects.

You can modify kernel parameters at runtime with the sysctl command or you can make changes within the system's configuration file so those changes are more of a permanent nature.

I want to show you how you can secure sysctl with by quickly editing the configuration file. This configuration will:

  • Disable IP forwarding

  • Disable Send Packet Redirects

  • Disable ICMP Redirect Acceptance

  • Enable Bad Error Message Protection

SEE: Implementing DevOps: A guide for IT pros (free PDF) (TechRepublic)

What you'll need

  • A running instance of Linux

  • A user with sudo privileges

Note: I'll be demonstrating on Ubuntu Server 18.04, but the process is the same on most every Linux distribution.

How to edit the sysctl configuration file

Log in to your Linux server or desktop and open a terminal window. From that terminal, issue the command:

sudo nano /etc/sysctl.conf

The first option to look for is:

#net.ipv4.ip_forward=1

Change that line to:

net.ipv4.ip_forward=0

The next line to edit is:

#net.ipv4.conf.all.send_redirects = 0

Change that to:

net.ipv4.conf.all.send_redirects = 0

Add the following line under that:

net.ipv4.conf.default.send_redirects = 0

Look for the line:

#net.ipv4.conf.all.accept_redirects = 0

Change that to:

net.ipv4.conf.all.accept_redirects = 0

Add the following line under that:

net.ipv4.conf.default.accept_redirects = 0

Finally, add the following lines to the bottom of the file:

net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 3
net.ipv4.netfilter.ip_conntrack_tcp_timeout_syn_recv=45

The above lines do the following:

  • Enable Bad Error Message Protection

  • Enable SYN cookies to ensure a server avoids dropping connections when the SYN queue fills up

  • Increase the SYS backlog queue size to 2048

  • close the SYN_RECV state connections earlier

  • Lowers the timeout value for SYN_RECV to help in reducing the SYN flood attack

Save and close the file.

How to reload the configuration

You can reload the configuration issue the command:

sudo sysctl -p

One caveat to the sysctl -p command is I found it didn't load the tcp_max_syn_backlog properly. It wasn't until a reboot that the 2048 value was added. So, after running the sudo sysctl -p command, issue the command:

sudo less /proc/sys/net/ipv4/tcp_max_syn_backlog

Make sure the value presented is 2048.

If the value is anything less, reboot the server.

At this point, your Linux server should be better protected against SYN attacks and IP address spoofing. Enjoy that newfound security.

Also see