ServerBuddies Support Blog

Kernel Tunable Security Parameters

To activate the configured kernel parameters immediately at runtime, use:

The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.

For each tunable kernel parameters we will show the entry that needs to be added to the /etc/sysctl.conf configuration file to make the change permanent after reboots.

Enable TCP SYN Cookie Protection

A “SYN Attack” is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:

Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems.

However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it’s not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:

To find out what a particular driver/module does, the modinfo command can be used in many cases:

modinfo — program to show information about a Linux Kernel module

modinfo extracts information from the Linux Kernel modules given on the command line. If the module name is not a filename, then the /lib/modules/version directory is searched, as done by modprobe(8).

To set parameters during module loads, you can add entries to /etc/modprobe.conf on RHEL or /etc/modprobe.conf.local on SLES.