Skip to content

Kernel Hardening Guide

Last Updated: 2026-02-09 Server: Hetzner Production (46.224.40.5) Status: ✅ Active (20+ sysctl rules)


Kernel hardening uses sysctl parameters to protect against network-level attacks, prevent IP spoofing, and restrict access to sensitive kernel information.


Location: /etc/sysctl.d/99-security-hardening.conf

Terminal window
# =============================================================================
# Kernel Security Hardening - iSu Technologies
# Applied: 2026-02-09
# =============================================================================
# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log Martians (packets with impossible addresses)
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable secure redirects
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Increase system file descriptor limit
fs.file-max = 65535
# Protect against symlink attacks
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
# Restrict dmesg access
kernel.dmesg_restrict = 1
# Restrict access to kernel pointers
kernel.kptr_restrict = 2

ProtectionParameterEffect
IP Spoofingrp_filter = 1Rejects packets with spoofed source
SYN Floodtcp_syncookies = 1Mitigates SYN flood attacks
ICMP Attacksicmp_echo_ignore_broadcasts = 1Prevents Smurf attacks
Redirectsaccept_redirects = 0Prevents ICMP redirect attacks
Martian Logginglog_martians = 1Logs suspicious packets
Symlink Attacksprotected_symlinks = 1Prevents symlink races
Kernel Infokptr_restrict = 2Hides kernel pointers

Terminal window
# View all security sysctl values
sysctl -a | grep -E "rp_filter|syncookies|icmp_echo|accept_redirects|log_martians"
# Check specific value
sysctl net.ipv4.tcp_syncookies
# View entire hardening config
cat /etc/sysctl.d/99-security-hardening.conf
Terminal window
# Apply all sysctl configurations
sysctl --system
# Apply specific file
sysctl -p /etc/sysctl.d/99-security-hardening.conf
# Temporarily change a value (testing)
sysctl -w net.ipv4.tcp_syncookies=1

Terminal window
# View kernel logs for martian packets
dmesg | grep -i martian
# Live monitoring
dmesg -w | grep -i martian
Terminal window
# Check for SYN_RECV connections (potential SYN flood)
ss -tnp state syn-recv | wc -l
# View connection states
ss -s
# Check for high numbers of TIME_WAIT
ss -tnp state time-wait | wc -l

Terminal window
# Check if config file exists
ls -la /etc/sysctl.d/99-security-hardening.conf
# Check for syntax errors
sysctl -p /etc/sysctl.d/99-security-hardening.conf 2>&1
# Verify settings loaded
sysctl net.ipv4.tcp_syncookies
# Should return: net.ipv4.tcp_syncookies = 1
Terminal window
# Remove hardening file
mv /etc/sysctl.d/99-security-hardening.conf /tmp/
# Reset to defaults
sysctl --system
# Or reboot
reboot


Last hardening: 2026-02-09 Maintainer: Nhlanhla Mnyandu (nhlanhla@isutech.co.za)