Linux Host Baseline - Secure /etc/sysctl.conf

Technology
1

Baseline Requirements

net.ipv4.conf.all.accept_source_route and net.ipv4.tcp_syncookies are two kernel parameters related to network security:

  1. net.ipv4.conf.all.accept_source_route: This parameter controls whether source routing information is accepted. Source routing is a routing method for network packets, where the packet contains routing information about how it should be transmitted. Enabling source routing can lead to security risks, as attackers may use source routing to spoof network devices or bypass security measures. Therefore, it is generally recommended to set net.ipv4.conf.all.accept_source_route to 0 to disable source routing. Setting to 0 means rejecting source-routed packets.

  2. net.ipv4.tcp_syncookies: TCP SYN Cookies is a mechanism used to defend against SYN flood attacks. On a network, when a client tries to establish a TCP connection with a server, it sends a SYN synchronization request to the server. Attackers can send a large number of forged SYN requests to exhaust the server's resources, making it unable to accept new connections. Enabling the net.ipv4.tcp_syncookies parameter causes the system to use a mechanism called SYN Cookies to protect itself when under a SYN flood attack. When the system detects that the SYN queue is full or receives a large number of forged SYN requests, it enables the SYN Cookies mechanism to handle connection requests and avoid resource exhaustion.

Enable syncookies to mitigate SYN flood attacks

Detection method
    Run the following command to check the value of the tcp_syncookies parameter.
    #cat /proc/sys/net/ipv4/tcp_syncookies
Compliance criteria
    A tcp_syncookies value of 1 is compliant, any other value is non-compliant.

Disable IP source routing

Detection method
    Run the following command to check the value of the accept_source_route parameter.
    #cat /proc/sys/net/ipv4/conf/*/accept_source_route
Compliance criteria
    An accept_source_route value of 0 is compliant, any other value is non-compliant.

The following script can implement compliance modification for both baseline items:

# Function 1: Check and modify the net.ipv4.conf.all.accept_source_route configuration
update_accept_source_route() {
    if grep -q "net.ipv4.conf.all.accept_source_route" /etc/sysctl.conf; then
        if ! grep -q "net.ipv4.conf.all.accept_source_route=0" /etc/sysctl.conf; then
            sed -i 's/^net.ipv4.conf.all.accept_source_route.*/net.ipv4.conf.all.accept_source_route=0/g' /etc/sysctl.conf
            echo "Updated net.ipv4.conf.all.accept_source_route to 0"
        else
            echo "net.ipv4.conf.all.accept_source_route is already configured as 0"
        fi
    else
        echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.conf
        echo "Added net.ipv4.conf.all.accept_source_route=0 to /etc/sysctl.conf"
    fi
}
# Function 2: Check and modify the net.ipv4.tcp_syncookies configuration
update_tcp_syncookies() {
    if grep -q "net.ipv4.tcp_syncookies" /etc/sysctl.conf; then
        if ! grep -q "net.ipv4.tcp_syncookies=1" /etc/sysctl.conf; then
            sed -i 's/^net.ipv4.tcp_syncookies.*/net.ipv4.tcp_syncookies=1/g' /etc/sysctl.conf
            echo "Updated net.ipv4.tcp_syncookies to 1"
        else
            echo "net.ipv4.tcp_syncookies is already configured as 1"
        fi
    else
        echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
        echo "Added net.ipv4.tcp_syncookies=1 to /etc/sysctl.conf"
    fi
}
# Call function 1
update_accept_source_route
# Call function 2
update_tcp_syncookies
# Apply configuration changes
sysctl -p

Complete List

# Disable packet forwarding
net.ipv4.ip_forward = 0 
# Enable source route verification
net.ipv4.conf.default.rp_filter = 1 
# Disable all IP source routing
net.ipv4.conf.default.accept_source_route = 0 
# The sysrq combination key is used to check the current system operating status; for security, set to 0 to disable
kernel.sysrq = 0 
# Controls whether pid is added as an extension to core file names
kernel.core_uses_pid = 1 
# Enable SYN Cookies; when the SYN wait queue overflows, use cookies to handle requests
net.ipv4.tcp_syncookies = 1 
# Size limit for each message queue (unit: bytes)
kernel.msgmnb = 65536 
# Maximum number of message queues limit for the entire system
kernel.msgmax = 65536 
# Size limit for a single shared memory segment (unit: bytes), calculation: 64G * 1024 * 1024 * 1024 (bytes)
kernel.shmmax = 68719476736 
# Total shared memory size (unit: pages, 1 page = 4KB), calculation: 16G * 1024 * 1024 * 1024 / 4KB (pages)
kernel.shmall = 4294967296 
# Maximum number of timewait sockets, default is 180000
net.ipv4.tcp_max_tw_buckets = 6000 
# Enable selective acknowledgments
net.ipv4.tcp_sack = 1 
# Support larger TCP windows. If the maximum TCP window exceeds 65535 (64K), this value must be set to 1
net.ipv4.tcp_window_scaling = 1 
# TCP read buffer
net.ipv4.tcp_rmem = 4096 131072 1048576
# TCP write buffer
net.ipv4.tcp_wmem = 4096 131072 1048576  
# Default size of memory reserved for send buffers for TCP sockets (unit: bytes)
net.core.wmem_default = 8388608
# Maximum size of memory reserved for send buffers for TCP sockets (unit: bytes)
net.core.wmem_max = 16777216 
# Default size of memory reserved for receive buffers for TCP sockets (unit: bytes) 
net.core.rmem_default = 8388608
# Maximum size of memory reserved for receive buffers for TCP sockets (unit: bytes)
net.core.rmem_max = 16777216
# Maximum number of packets allowed in the queue when the network interface receives packets faster than the kernel can process them
net.core.netdev_max_backlog = 262144 
# In web applications, the backlog of the listen function is limited to 128 by default by the kernel parameter net.core.somaxconn, while the default NGX_LISTEN_BACKLOG defined by nginx is 511, so it is necessary to adjust this value
net.core.somaxconn = 262144 
# Maximum number of TCP sockets in the system that are not associated with any user file handle. This limit is only to prevent simple DoS attacks, you should not over-rely on it or artificially reduce this value, it is better to increase this value (if you have added more memory)
net.ipv4.tcp_max_orphans = 3276800 
# Maximum number of connection requests that have not yet received client acknowledgment. For a system with 128MB of memory, the default value is 1024, for low-memory systems it is 128
net.ipv4.tcp_max_syn_backlog = 262144 
# Timestamps can prevent sequence number wrap-around. A 1Gbps link will definitely encounter sequence numbers that have been used before. Timestamps allow the kernel to accept these "abnormal" packets. This should be turned off here
net.ipv4.tcp_timestamps = 0 
# To open a connection to the remote end, the kernel needs to send a SYN with an ACK responding to the previous SYN. This is the second handshake in the three-way handshake. This setting determines how many SYN+ACK packets the kernel sends before abandoning the connection
net.ipv4.tcp_synack_retries = 1 
# Number of SYN packets sent before the kernel abandons establishing a connection
net.ipv4.tcp_syn_retries = 1 
# Enable fast recycling of time_wait sockets for TCP connections
net.ipv4.tcp_tw_recycle = 1 
# Enable TCP connection reuse, allowing time_wait sockets to be reused for new TCP connections (mainly for time_wait connections)
net.ipv4.tcp_tw_reuse = 1 
# 1st: below this value TCP has no memory pressure, 2nd: enter memory pressure stage, 3rd: TCP rejects socket allocation (unit: memory pages)
net.ipv4.tcp_mem = 94500000 915000000 927000000  
# If the socket is requested to be closed by the local end, this parameter determines how long it remains in the FIN-WAIT-2 state. The remote end can error and never close the connection, or even crash unexpectedly. The default value is 60 seconds. The common value for 2.2 kernels is 180 seconds, you can set it to this value, but remember that even if your machine is a lightly loaded web server, there is a risk of memory overflow due to a large number of dead sockets. FIN-WAIT-2 is less dangerous than FIN-WAIT-1 because it can only consume up to 1.5K of memory, but they have a longer lifetime.
net.ipv4.tcp_fin_timeout = 15 
# Specifies the frequency (in seconds) that TCP sends keepalive messages when keepalive is enabled
net.ipv4.tcp_keepalive_time = 30 
# Port range for outgoing connections
net.ipv4.ip_local_port_range = 2048 65000
# Maximum number of file handles
fs.file-max = 102400

Prevent amplification attacks


net.ipv4.icmp_echo_ignore_broadcasts = 1


Enable protection against malicious ICMP error messages


net.ipv4.icmp_ignore_bogus_error_responses = 1


Enable SYN flood attack protection


net.ipv4.tcp_syncookies = 1


Enable logging of spoofed, source-routed, and redirected packets


net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.log_martians = 1


Reject source-routed packets


net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.default.accept_source_route = 0


Enable reverse path filtering


net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1


Ensure no one can modify the routing table


net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

net.ipv4.conf.default.secure_redirects = 0


Do not act as a router


net.ipv4.ip_forward = 0

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0


Enable execshield


kernel.exec-shield = 1

kernel.randomize_va_space = 1


IPv6 settings


net.ipv6.conf.default.router_solicitations = 0

net.ipv6.conf.default.accept_ra_rtr_pref = 0

net.ipv6.conf.default.accept_ra_pinfo = 0

net.ipv6.conf.default.accept_ra_defrtr = 0

net.ipv6.conf.default.autoconf = 0

net.ipv6.conf.default.dad_transmits = 0

net.ipv6.conf.default.max_addresses = 1


Optimize ports for LB use


Increase system file descriptor limit


fs.file-max = 65535


Allow more PIDs (reduces wrap-around issues); may break some programs, default is 32768


kernel.pid_max = 65536


Increase system IP port limit


net.ipv4.ip_local_port_range = 2000 65000


Increase maximum TCP buffer size


net.ipv4.tcp_rmem = 4096 87380 8388608

net.ipv4.tcp_wmem = 4096 87380 8388608


Increase Linux autotuning TCP buffer limit


Minimum, default and maximum number of bytes that can be used


The maximum value should not be lower than 4MB, you can set it higher if you use a very high BDP path


TCP window settings etc.


net.core.rmem_max = 8388608

net.core.wmem_max = 8388608

net.core.netdev_max_backlog = 5000

net.ipv4.tcp_window_scaling = 1

This is a discussion topic separated from the original thread at https://juejin.cn/post/7368469208647909395