Article

Table of Contents
Theme:
Was this article helpful?

1  out of  1 found this helpful

Try Vultr Today with

$50 Free on Us!

Want to contribute?

You could earn up to $600 by adding new articles.

Securing and Hardening the CentOS 7 Kernel With Sysctl

Last Updated: Thu, Dec 28, 2017
CentOS Linux Guides

Introduction

Sysctl lets the user fine tune the kernel without having to rebuild the kernel. It also will apply the changes immediately, thus the server won't have to be rebooted for changes to take effect. This tutorial provides a brief introduction to sysctl and demonstrates how to use it to tweak specific parts of the Linux kernel.

Commands

To start using sysctl, review the parameters and examples listed below.

Parameters

-a: This will display all the values currently available in the sysctl configuration.

-A: This will display all the values currently available in the sysctl configuration in table form.

-e: This option will ignore errors about unknown keys.

-p: This is used to load a specific sysctl configuration, by default it will use /etc/sysctl.conf

-n: This option will disable showing the key names when printing out the values.

-w: This option is for changing (or adding) values to the sysctl on-demand.

Examples

$ sysctl -a

$ sysctl -n fs.file-max

$ sysctl -w fs.file-max=2097152

$ sysctl -p

So first we are checking the default values. If your /etc/sysctl.conf is empty, it will show all the default keys and values. Second, we are checking what the value of fs.file-max is and then setting the new value to 2097152. Finally, we are loading the new /etc/sysctl.conf configuration file.

If you are looking for additional help, you can use man sysctl.

Securing and Hardening the Kernel

To make the changes permanent, we will have to add these values to a configuration file. Use the configuration file CentOS provides by default, /etc/sysctl.conf.

Open the file with your favorite editor.

By default, you should see something similar to this.

# sysctl settings are defined through files in

# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.

#

# Vendors settings live in /usr/lib/sysctl.d/.

# To override a whole file, create a new file with the same in

# /etc/sysctl.d/ and put new settings there. To override

# only specific settings, add a file with a lexically later

# name in /etc/sysctl.d/ and put new settings there.

#

# For more information, see sysctl.conf(5) and sysctl.d(5).

Let's improve the system memory management first.

We are going to minimize the amount of swapping we need to do, increase the size of file handles and inode cache, and restrict core dumps.

# Minimizing the amount of swapping

vm.swappiness = 20

vm.dirty_ratio = 80

vm.dirty_background_ratio = 5



# Increases the size of file handles and inode cache & restricts core dumps

fs.file-max = 2097152

fs.suid_dumpable = 0

Next, lets tune the network optimized performance.

We are going to change the amount of incoming connections and incoming connections backlog, increase the maximum amount of memory buffers, and increase the default and maximum send/receive buffers.

# Change the amount of incoming connections and incoming connections backlog

net.core.somaxconn = 65535

net.core.netdev_max_backlog = 262144



# Increase the maximum amount of memory buffers

net.core.optmem_max = 25165824



# Increase the default and maximum send/receive buffers

net.core.rmem_default = 31457280

net.core.rmem_max = 67108864

net.core.wmem_default = 31457280

net.core.wmem_max = 67108864

Finally, we are going to improve general network security.

We are going to enable TCP SYN cookie protection, IP spoofing protection, ignoring ICMP requests, ignoring broadcast requests, and logging to spoofed packets, source routed packets and redirect packets. Along with that, we are going to disable IP source routing and ICMP redirect acceptance.

# Enable TCP SYN cookie protection

net.ipv4.tcp_syncookies = 1



# Enable IP spoofing protection

net.ipv4.conf.all.rp_filter = 1



# Enable ignoring to ICMP requests and broadcasts request

net.ipv4.icmp_echo_ignore_all = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1



# Enable logging of spoofed packets, source routed packets and redirect packets

net.ipv4.conf.all.log_martians = 1



# Disable IP source routing

net.ipv4.conf.all.accept_source_route = 0



# Disable ICMP redirect acceptance

net.ipv4.conf.all.accept_redirects = 0

Save and close the file, and then load the file using the sysctl -p command.

Conclusion

In the end, your file should look similar to this.

# sysctl settings are defined through files in

# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.

#

# Vendors settings live in /usr/lib/sysctl.d/.

# To override a whole file, create a new file with the same in

# /etc/sysctl.d/ and put new settings there. To override

# only specific settings, add a file with a lexically later

# name in /etc/sysctl.d/ and put new settings there.

#

# For more information, see sysctl.conf(5) and sysctl.d(5).



# Minimizing the amount of swapping

vm.swappiness = 20

vm.dirty_ratio = 80

vm.dirty_background_ratio = 5



# Increases the size of file handles and inode cache & restricts core dumps

fs.file-max = 2097152

fs.suid_dumpable = 0



# Change the amount of incoming connections and incoming connections backlog

net.core.somaxconn = 65535

net.core.netdev_max_backlog = 262144



# Increase the maximum amount of memory buffers

net.core.optmem_max = 25165824



# Increase the default and maximum send/receive buffers

net.core.rmem_default = 31457280

net.core.rmem_max = 67108864

net.core.wmem_default = 31457280

net.core.wmem_max = 67108864



# Enable TCP SYN cookie protection

net.ipv4.tcp_syncookies = 1



# Enable IP spoofing protection

net.ipv4.conf.all.rp_filter = 1



# Enable ignoring to ICMP requests and broadcasts request

net.ipv4.icmp_echo_ignore_all = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1



# Enable logging of spoofed packets, source routed packets and redirect packets

net.ipv4.conf.all.log_martians = 1



# Disable IP source routing

net.ipv4.conf.all.accept_source_route = 0



# Disable ICMP redirect acceptance

net.ipv4.conf.all.accept_redirects = 0

Want to contribute?

You could earn up to $600 by adding new articles.