Linux is very good operating system but sometimes default setting is not very secure for your computer because it want to make everything easy and compatible for everyone. If you want your computer to have more security, you can change some hidden things inside kernel using a tool name sysctl. This guide combines security ideas from Red Hat Enterprise Linux 10 guide, Fedora workstation CUSP profile, and also privacyguides.org website to help you make your Linux more strong. This is very good for personal computer or server but you must know some things might break after you do this. We will do this together step by step so you can make your Linux system more hard against bad peoples on internet.
First step you must to do is opening your terminal on the Linux computer. We need to create one configuration file in special folder where Linux reads security settings when it boots up. The folder is called sysctl.d and we will make file name 99-cfg-hardening.conf. You must use sudo because normal user cannot change these files. You can use editor like vi or nano for write this file. Run this command in your terminal:
sudo vi /etc/sysctl.d/99-cfg-hardening.confWhen the editor is open, you need to copy and paste all these lines below very carefully because if you make mistake maybe some network or system things will have problem.
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
kernel.printk = 3 3 3 3
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2
kernel.kexec_load_disabled = 1
kernel.yama.ptrace_scope = 1
kernel.sysrq = 4
kernel.perf_event_paranoid = 3
kernel.core_pattern = |/bin/false
vm.unprivileged_userfaultfd = 0fs.protected_fifos = 2
fs.protected_regular = 2
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
fs.suid_dumpable = 0If you are using vi editor, you must first press the I key on your keyboard so you can write or paste text. After you paste all lines, you press Esc key, then you type :wq and press Enter key to save the file and close it.
Now I will explain you what all these strange lines mean in simple way because it is important to understand what you do to your system. The first part is about Network. The rp_filter setting is for reverse path filtering. It means the computer will check if packet that comes to your network card is coming from real place or if it is fake IP address. Setting it to 1 make your computer drop these fake packets. The accept_source_route set to 0 is because we do not want other routers on internet to tell our computer what path it must send packets, because hackers can use this to send bad data. The accept_redirects and secure_redirects set to 0 will stop other devices from changing the routing table of your computer, which is very safe because nobody can redirect your internet traffic to their own computer. The send_redirects set to 0 means our computer will not tell other computers about routes.
We also have log_martians set to 1. This is very funny name but it just means the kernel will write log about packets that have impossible IP addresses, like fake addresses. The icmp_echo_ignore_broadcasts set to 1 stops your computer from replying to ping requests sent to everyone on the network, which hackers use to find active computers. The icmp_ignore_bogus_error_responses stops computer from listing wrong errors. The tcp_syncookies set to 1 is very important because it protects your computer from SYN flood attack, which is when bad people try to overload your internet port so you cannot use it. The tcp_rfc1337 makes your system safe against some TCP problems called RST packets. For IPv6, we do same things to stop redirects and source route, and we set use_tempaddr to 2. This is very good for your privacy because it makes your computer use temporary IP addresses that change all the time, so websites cannot track your real IPv6 address easily.
The second part of the file is Kernel settings. This is the brain of your operating system. The kptr_restrict set to 2 is very important because it hides the real memory addresses of the kernel from everyone. If hackers want to break your system, they need to know where kernel things are in memory, and this setting make them blind. The dmesg_restrict set to 1 makes sure normal users cannot read the dmesg logs, because dmesg has too much information about system hardware and kernel memory that bad softwares can use. The printk setting reduces the messages that kernel writes on screen when booting so people cannot see secrets.
We also have unprivileged_bpf_disabled set to 1. BPF is very powerful tool inside Linux but normal programs do not need to use it, so we turn it off for normal users to stop exploits. The bpf_jit_harden set to 2 makes the BPF compiler more safe. The kexec_load_disabled set to 1 is for stopping people from loading a new kernel without restarting the computer, which can be a big security risk. The yama.ptrace_scope set to 1 stops programs from looking into memory of other programs. For example, if you have a program that is running, another program cannot spy on it unless it is its child process. The sysrq set to 4 only allows some safe keyboard shortcuts for system recovery. The perf_event_paranoid set to 3 stops unprivileged users from using performance measurement tools that can steal CPU secrets. The core_pattern set to |/bin/false stops your system from creating core dump files when a program crashes, because core dump files can contain passwords or private data. The unprivileged_userfaultfd set to 0 stops normal users from using userfaultfd which is often used in kernel exploits.
The third part is Filesystem settings. The protected_fifos and protected_regular set to 2 stop bad users or programs from writing files into public directories like /tmp in unsafe ways. The protected_symlinks and protected_hardlinks set to 1 stop people from making links to files they do not own, which is a common trick to read other peoples files. The suid_dumpable set to 0 stops programs with high privileges from making core dumps if they crash.
After you write the file, you must make the system load these new settings. You can do this without restarting your computer by running this command:
sudo sysctl -p /etc/sysctl.d/99-cfg-hardening.confThis command will print all the settings you just pasted. If you see them, it means the system read the file. But we must also double check if the system really changed them in the kernel memory. You can run this command to read some of the most important settings:
sudo sysctl kernel.kptr_restrict kernel.yama.ptrace_scope kernel.unprivileged_bpf_disabled fs.protected_fifosWhen you run this, your computer should show you the new values, like kernel.kptr_restrict = 2, kernel.yama.ptrace_scope = 1, kernel.unprivileged_bpf_disabled = 1, and fs.protected_fifos = 2. If you see this, your hardening is now active.
But you must be careful because some of these settings can make problems on your everyday workstation. For example, when you set kernel.unprivileged_bpf_disabled to 1, some tools like bpftrace or bpftop will not work if you run them as normal user. If you are developer who works with BPF, you might need to change this. But programs like Cilium or Falco will still work because they run with root administrator privileges anyway.
Another thing is kernel.yama.ptrace_scope set to 1. This means if you use debugging tools like gdb to check a running process, you can only do it if the tool started that process. If you want to attach gdb to a process that is already running, it will fail unless you type sudo before your command. If you set this to 2, you need special permissions called CAP_SYS_PTRACE, and if you set it to 3, you cannot use ptrace at all which means no debugging can happen.
Also, kernel.kexec_load_disabled set to 1 will stop you from using kexec. Kexec is a tool that lets you load a new kernel very fast without going through the motherboard BIOS reboot. If you use this for fast rebooting, do not use this setting. If you do not know what kexec is, then it is very safe to keep it disabled because it closes a dangerous path that hackers can use.
Lastly, net.ipv4.icmp_echo_ignore_broadcasts set to 1 is very safe and does not break things. But please do not set net.ipv4.icmp_echo_ignore_all to 1 because we did not put it in our list for a reason. If you turn off all ping responses, your laptop might not be able to detect captive portals when you try to connect to Wi-Fi at hotels or coffee shops, and this will make you very annoyed.
To make sure everything is clear, here is the step by step process you must follow to apply this on your system:
Step 1: Open your terminal application. You can press Ctrl+Alt+T on most Linux systems to open it.
Step 2: Open the configuration file with root privileges using vi or nano editor. Type this command:
sudo vi /etc/sysctl.d/99-cfg-hardening.confIf the system ask for your password, type it and press Enter.
Step 3: Copy the complete configuration block from this guide. Make sure you copy every line correctly. If you use vi, press I to enter insert mode first, then paste.
Step 4: Save the file. In vi, press Esc, then type :wq and press Enter. If you use nano, press Ctrl+O, press Enter, then press Ctrl+X to exit.
Step 5: Load the new settings into your kernel immediately without waiting for a reboot. Type this command:
sudo sysctl -p /etc/sysctl.d/99-cfg-hardening.confLook at the terminal output to make sure there are no syntax errors.
Step 6: Verify that the most important settings are active. Run this command:
sudo sysctl kernel.kptr_restrict kernel.yama.ptrace_scope kernel.unprivileged_bpf_disabled fs.protected_fifosCheck that the numbers match what we wrote in the file.
In conclusion, changing these sysctl settings is a very easy and strong way to make your stock Linux system much more secure. It does not take a lot of time and it closes many security holes that exist in default configurations. Even if you are not a computer expert, following these simple steps will help protect your data and system from basic network attacks and local exploits. Just remember the small side effects we discussed about debugging tools and BPF tools if you are a developer, so you do not get confused if some advanced tools need sudo to run.