Kernel Hardening Guide
Kernel Hardening Guide
Section titled “Kernel Hardening Guide”Last Updated: 2026-02-09 Server: Hetzner Production (46.224.40.5) Status: ✅ Active (20+ sysctl rules)
Overview
Section titled “Overview”Kernel hardening uses sysctl parameters to protect against network-level attacks, prevent IP spoofing, and restrict access to sensitive kernel information.
Current Configuration
Section titled “Current Configuration”Configuration File
Section titled “Configuration File”Location: /etc/sysctl.d/99-security-hardening.conf
# =============================================================================# Kernel Security Hardening - iSu Technologies# Applied: 2026-02-09# =============================================================================
# IP Spoofing protectionnet.ipv4.conf.all.rp_filter = 1net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requestsnet.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routingnet.ipv4.conf.all.accept_source_route = 0net.ipv4.conf.default.accept_source_route = 0net.ipv6.conf.all.accept_source_route = 0net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirectsnet.ipv4.conf.all.send_redirects = 0net.ipv4.conf.default.send_redirects = 0
# Block SYN attacksnet.ipv4.tcp_syncookies = 1net.ipv4.tcp_max_syn_backlog = 2048net.ipv4.tcp_synack_retries = 2net.ipv4.tcp_syn_retries = 5
# Log Martians (packets with impossible addresses)net.ipv4.conf.all.log_martians = 1net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirectsnet.ipv4.conf.all.accept_redirects = 0net.ipv4.conf.default.accept_redirects = 0net.ipv6.conf.all.accept_redirects = 0net.ipv6.conf.default.accept_redirects = 0
# Disable secure redirectsnet.ipv4.conf.all.secure_redirects = 0net.ipv4.conf.default.secure_redirects = 0
# Increase system file descriptor limitfs.file-max = 65535
# Protect against symlink attacksfs.protected_symlinks = 1fs.protected_hardlinks = 1
# Restrict dmesg accesskernel.dmesg_restrict = 1
# Restrict access to kernel pointerskernel.kptr_restrict = 2Protection Summary
Section titled “Protection Summary”| Protection | Parameter | Effect |
|---|---|---|
| IP Spoofing | rp_filter = 1 | Rejects packets with spoofed source |
| SYN Flood | tcp_syncookies = 1 | Mitigates SYN flood attacks |
| ICMP Attacks | icmp_echo_ignore_broadcasts = 1 | Prevents Smurf attacks |
| Redirects | accept_redirects = 0 | Prevents ICMP redirect attacks |
| Martian Logging | log_martians = 1 | Logs suspicious packets |
| Symlink Attacks | protected_symlinks = 1 | Prevents symlink races |
| Kernel Info | kptr_restrict = 2 | Hides kernel pointers |
Quick Commands
Section titled “Quick Commands”Check Current Values
Section titled “Check Current Values”# View all security sysctl valuessysctl -a | grep -E "rp_filter|syncookies|icmp_echo|accept_redirects|log_martians"
# Check specific valuesysctl net.ipv4.tcp_syncookies
# View entire hardening configcat /etc/sysctl.d/99-security-hardening.confApply Changes
Section titled “Apply Changes”# Apply all sysctl configurationssysctl --system
# Apply specific filesysctl -p /etc/sysctl.d/99-security-hardening.conf
# Temporarily change a value (testing)sysctl -w net.ipv4.tcp_syncookies=1Monitoring
Section titled “Monitoring”Check for Martian Packets
Section titled “Check for Martian Packets”# View kernel logs for martian packetsdmesg | grep -i martian
# Live monitoringdmesg -w | grep -i martianNetwork Attack Indicators
Section titled “Network Attack Indicators”# Check for SYN_RECV connections (potential SYN flood)ss -tnp state syn-recv | wc -l
# View connection statesss -s
# Check for high numbers of TIME_WAITss -tnp state time-wait | wc -lTroubleshooting
Section titled “Troubleshooting”Settings Not Applied?
Section titled “Settings Not Applied?”# Check if config file existsls -la /etc/sysctl.d/99-security-hardening.conf
# Check for syntax errorssysctl -p /etc/sysctl.d/99-security-hardening.conf 2>&1
# Verify settings loadedsysctl net.ipv4.tcp_syncookies# Should return: net.ipv4.tcp_syncookies = 1Revert Changes
Section titled “Revert Changes”# Remove hardening filemv /etc/sysctl.d/99-security-hardening.conf /tmp/
# Reset to defaultssysctl --system
# Or rebootrebootRelated Documentation
Section titled “Related Documentation”Last hardening: 2026-02-09 Maintainer: Nhlanhla Mnyandu (nhlanhla@isutech.co.za)