Sysctl is a powerful Linux command which acts as an interface to dynamically change the kernel parameters. With the help of this command, you can modify the kernel parameters without recompiling the kernel or rebooting the machine. The parameters available for modification can be found under /proc/sys directory. So, procfs (file system simulation to be able to communicate with the kernel via the file system) is mandatory for ‘sysctl’. Only ‘superuser (root)’ can execute this command.
Kernel parameter modification
Kernel parameters can be modified temporarily or permanently.
Temporary modification of Kernel Parameters
a. Using ‘sysctl’ command
1. Read the current kernel parameters
2. Use ‘-w’ switch to write a value to a variable
sysctl –w net.ipv4.icmp_echo_ignore_all=1
This command will instruct the server to ignore ICMP packets (Ping requests). Value ‘0’ represents ‘Off’ and ‘1’ represents ‘on’.These changes are temporary and will get reset on reboot.
Permanent modification to Kernel Parameters
a. Directly modifying values in procfs
You can directly modify the files in procfs (/proc/sys directory) to alter the kernel parameter.
echo “1″ > /proc/sys/net/ipv4/icmp_echo_ignore_all
The above command will disable the ICMP packets.
b. Modifying the configuration file /etc/sysctl.conf
This is the most recommended way of altering kernel parameters. You need to add the following line to /etc/sysctl.conf for ICMP packet filtering.
net.ipv4.icmp_echo_ignore_all = 1
After modifying the sysctl configuration file, you need to execute the following command to load sysctl settings from the file /etc/sysctl.conf file.
Security and Performance tuning using sysctl
1. Control IP packet forwarding
IP packet forwarding need to be enabled only on servers which acts as routers or gateways. In all other servers, this feature needs to be disabled.
net.ipv4.ip_forward = 0
2. Source Address verification
This ‘sanity checking’ helps against spoofing attack.
net.ipv4.conf.all.rp_filter = 1
3. Enable ExecShield protection
ExecShield is security Linux kernel patch to avoid worms and other problems. Add the following lines to /etc/sysctl.conf to enable ExecShield protection.
kernel.exec-shield = 1
kernel.randomize_va_space = 1
4. SYN flood protection
In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get filled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). In order to stop this, you need to enable SYNcookies in sysctl.conf
net.ipv4.tcp_syncookies = 1
5. Preventing Smurf attacks
A smurf attack is an exploitation of the Internet Protocol (IP) broadcast addressing to create a denial of service. The smurf program builds a network packet that appears to originate from another address (this is known as spoofing an IP address). The packet contains an ICMP ping message that is addressed to an IP broadcast address, meaning all IP addresses in a given network. The echo responses to the ping message are sent back to the “victim” address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.
One way to defeat smurfing is to disable IP broadcast addressing.
net.ipv4.icmp_echo_ignore_broadcasts = 1
6. Log all Martain packets
A Martian packet is an IP packet which specifies a source or destination address that is reserved for special-use by Internet Assigned Numbers Authority (IANA) and cannot actually originate as claimed or be delivered.
Martian packets commonly arise from IP address spoofing in denial-of-service attacks,
net.ipv4.conf.all.log_martians = 1