The sysctl Surface Area
The Linux kernel exposes hundreds of tuneable parameters via /proc/sys. Most defaults
are reasonable for a desktop — not for a hardened server. Here are the ones I set on every build.
Network Hardening
# /etc/sysctl.d/99-hardening.conf
# Prevent IP spoofing
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
# Log martian packets
net.ipv4.conf.all.log_martians = 1
Memory Hardening
# ASLR — always on
kernel.randomize_va_space = 2
# Restrict dmesg to root
kernel.dmesg_restrict = 1
# Restrict ptrace to parent processes
kernel.yama.ptrace_scope = 1
# Disable magic sysrq in prod
kernel.sysrq = 0
# Prevent core dumps from setuid programs
fs.suid_dumpable = 0
Apply Without Reboot
sysctl -p /etc/sysctl.d/99-hardening.conf
Defensive Takeaways
- Add sysctl hardening to your base image build, not as a post-deployment step
kernel.yama.ptrace_scope = 2for high-security environments- Validate settings survive reboots — some cloud images overwrite sysctl.conf
- Pair with a CIS benchmark scan to catch what you missed
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.