Product SiteDocumentation Site

2.2. Host General Security

All of these settings should be placed in your /etc/sysctl.conf file. Once the file is edited, run sysctl -p to enable the settings on a persistent basis.
Required Config Lines
CompleteRequirementActionService/Config
ShouldSet net.ipv4.ip_forward = 0 [1]
ShouldSet net.ipv4.conf.all.send_redirects = 0 [2]
ShouldSet net.ipv4.conf.default.send_redirects = 0 [3]
MustSet net.ipv4.conf.all.accept_redirects = 0 [4]
MustSet net.ipv4.icmp_echo_ignore_broadcasts = 1 [5]
MustSet net.ipv4.icmp_ignore_bogus_error_responses = 1 [6]
MustSet net.ipv4.tcp_syncookies = 1 [7]
MustSet net.ipv4.conf.all.log_martians = 1 [8]
MustSet net.ipv4.conf.default.log_martians = 1 [9]
MustSet net.ipv4.conf.all.accept_source_route = 0 [10]
MustSet net.ipv4.conf.default.accept_source_route = 0 [11]
MustSet net.ipv4.conf.all.rp_filter = 1 [12]
MustSet net.ipv4.conf.default.rp_filter = 1 [13]
MustSet net.ipv4.conf.default.accept_redirects = 0 [14]
MustSet net.ipv4.conf.all.secure_redirects = 0 [15]
MustSet net.ipv4.conf.default.secure_redirects = 0 [16]

2.2.1. Suggested /etc/sysctl.conf config

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 0

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# CSI Compliance
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0


[1] Unless this host serves as a network device, do not pass traffic between networks.
[2] Unless this host serves as a network device, do not act like a network device.
[3] Unless this host serves as a network device, do not act like a network device.
[4] Do not permit outsiders to alter routing tables.
[5] Prevents this host from joining a smurf attack
[6] Protection from bad ICMP error messages
[7] Enables syncookies for protection against syn flood attacks
[8] Log any spoofed, source routed and redirect packets
[9] Log any spoofed, source routed and redirect packets
[10] Do not allow source routed packets
[11] Do not allow source routed packets
[12] Enable reverse path filtering
[13] Enable reverse path filtering
[14] Do not allow outsiders to alter routing tables.
[15] Do not allow outsiders to alter routing tables.
[16] Do not allow outsiders to alter routing tables.