Sysctl is a powerful Linux command which acts as an interface to dynamically change the kernel parameters. With the help of this command, you can modify the kernel parameters without recompiling the kernel or rebooting the machine. The parameters available for modification can be found under /proc/sys directory. So, procfs (file system simulation to be able to communicate with the kernel via the file system) is mandatory for ‘sysctl’. Only ‘superuser (root)’ can execute this command.
Kernel parameter modification.
Kernel parameters can be modified temporarily or permanently.
Temporary modification of kernel parameters are:
a. Using ‘sysctl’ command.
1. Read the current kernel parameters,
2. Use ‘-w’ switch to write a value to a variable:
sysctl –w net.ipv4.icmp_echo_ignore_all=1
This command will instruct the server to ignore ICMP packets (ping requests). Value ‘0’ represents ‘Off’ and ‘1’ represents ‘on’. These changes are temporary and will get reset on reboot.
Permanent modification to Kernel Parameters.
a. Directly modifying values in procfs.
You can directly modify the files in procfs (/proc/sys directory) to alter the kernel parameter.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
The above command will disable the ICMP packets.
b. Modifying the configuration file /etc/sysctl.conf.
This is the most recommended way of altering kernel parameters. You need to add the following line to /etc/sysctl.conf for ICMP packet filtering.
net.ipv4.icmp_echo_ignore_all = 1
After modifying the sysctl configuration file, you need to execute the following command to load sysctl settings from the file /etc/sysctl.conf file.
Security and performance tuning using sysctl.
1. Control IP packet forwarding.
IP packet forwarding needs to be enabled only on servers which acts as routers or gateways. In all other servers, this feature needs to be disabled.
net.ipv4.ip_forward = 0
2. Source address verification.
This ‘sanity checking’ helps against spoofing attack.
net.ipv4.conf.all.rp_filter = 1
3. Enable execshield protection.
Execshield is a security Linux kernel patch to avoid worms and other problems. Add the following lines to /etc/sysctl.conf to enable execshield protection.
kernel.exec-shield = 1
kernel.randomize_va_space = 1
4. SYN flood protection.
In this attack, system is flood with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then, system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again, the entire system resources get filled aka backlog queue. Once the queue is full system will ignore incoming requests from legitimate users for services (http/mail etc). In order to stop this, you need to enable SYNcookies in sysctl.conf
net.ipv4.tcp_syncookies = 1
5. Preventing smurf attacks.
A smurf attack is an exploitation of the Internet Protocol (IP) broadcast addressing to create a denial of service. The smurf program builds a network packet that appears to originate from another address (this is known as spoofing an IP address). The packet contains an ICMP ping message that is addressed to an IP broadcast address, i.e, all IP addresses in a given network. The echo responses to the ping message is sent back to the "victim" address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.
One way to defeat smurfing is to disable IP broadcast addressing.
net.ipv4.icmp_echo_ignore_broadcasts = 1
6. Log all martian packets.
A martian packet is an IP packet which specifies a source or destination address that is reserved for special-use by Internet Assigned Numbers Authority (IANA) and cannot actually originate as claimed or be delivered.
Martian packets commonly arise from IP address spoofing in denial-of-service attacks,
net.ipv4.conf.all.log_martians = 1