2.2. Host General Security

All of these settings should be placed in your /etc/sysctl.conf file. Once the file is edited, run sysctl -p to enable the settings on a persistent basis.

Required Config Lines

Requirement	Action	Service/Config
Should	Set	`net.ipv4.ip_forward = 0` ^[1]
Should	Set	`net.ipv4.conf.all.send_redirects = 0` ^[2]
Should	Set	`net.ipv4.conf.default.send_redirects = 0` ^[3]
Must	Set	`net.ipv4.conf.all.accept_redirects = 0` ^[4]
Must	Set	`net.ipv4.icmp_echo_ignore_broadcasts = 1` ^[5]
Must	Set	`net.ipv4.icmp_ignore_bogus_error_responses = 1` ^[6]
Must	Set	`net.ipv4.tcp_syncookies = 1` ^[7]
Must	Set	`net.ipv4.conf.all.log_martians = 1` ^[8]
Must	Set	`net.ipv4.conf.default.log_martians = 1` ^[9]
Must	Set	`net.ipv4.conf.all.accept_source_route = 0` ^[10]
Must	Set	`net.ipv4.conf.default.accept_source_route = 0` ^[11]
Must	Set	`net.ipv4.conf.all.rp_filter = 1` ^[12]
Must	Set	`net.ipv4.conf.default.rp_filter = 1` ^[13]
Must	Set	`net.ipv4.conf.default.accept_redirects = 0` ^[14]
Must	Set	`net.ipv4.conf.all.secure_redirects = 0` ^[15]
Must	Set	`net.ipv4.conf.default.secure_redirects = 0` ^[16]

2.2.1. Suggested `/etc/sysctl.conf` config

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# CSI Compliance
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

^[1] Unless this host serves as a network device, do not pass traffic between networks.

^[2] Unless this host serves as a network device, do not act like a network device.

^[3] Unless this host serves as a network device, do not act like a network device.

^[4] Do not permit outsiders to alter routing tables.

^[5] Prevents this host from joining a smurf attack

^[6] Protection from bad ICMP error messages

^[7] Enables syncookies for protection against syn flood attacks

^[8] Log any spoofed, source routed and redirect packets

^[9] Log any spoofed, source routed and redirect packets

^[10] Do not allow source routed packets

^[11] Do not allow source routed packets

^[12] Enable reverse path filtering

^[13] Enable reverse path filtering

^[14] Do not allow outsiders to alter routing tables.

^[15] Do not allow outsiders to alter routing tables.

^[16] Do not allow outsiders to alter routing tables.

2.2. Host General Security

2.2.1. Suggested /etc/sysctl.conf config

2.2.1. Suggested `/etc/sysctl.conf` config