Kernel Security

Several kernel configuration options are available to improve security through the
/proc pseudo-filesystem. Quite a few of the files in /proc/sys are directly related to
security. Enabled if contains a 1 and disabled if it contains a 0. Many of the options
available in /proc/sys/net/ipv4 include:

• icmp_echo_ignore_all: Ignore all ICMP ECHO requests. Enabling this option will
prevent this host from responding to ping requests.
• icmp_echo_ignore_broadcasts: Ignore ICMP echo requests with a broadcast/
multicast destination address. Your network may be used as an exploder for denial of
service packet flooding attacks to other hosts.
• ip_forward: Enable or disable the forwarding of IP packets between interfaces.
Default value is dependent on whether the kernel is configured as host or router.
• ip_masq_debug: Enable or disable debugging of IP masquerading.
• tcp_syncookies: Protection from the “SYN Attack”. Send syncookies when the SYN
backlog queue of a socket overflows.
• rp_filter: Determines if source address verification is enabled. Enable this option on
all routers to prevent IP spoofing attacks against the internal network.
• secure_redirects: Accept ICMP redirect messages only for gateways listed in default
gateway list.
• log_martians: Log packets with impossible addresses to kernel log.
• accept_source_route: Determines whether source routed packets are accepted or
declined. Should be disabled unless specific reason requires it.
The file /etc/sysctl.conf on recent Red Hat contains a few default settings and is
processed at system startup. The /sbin/sysctl program can be used to control these
parameters. It is also possible to configure their values using /bin/echo. For example,
to disable IP forwarding, as root run:
echo “0” > /proc/sys/net/ipv4/ip_forward
This must written to a system startup file or /etc/sysctl.conf on Red Hat to occur
after each reboot. More information is available in proc.txt file in the kernel
Documentation/ directory.