Kernel hardening (sysctl)

Apply sysctl network and kernel hardening parameters on a HolyCloud VPS: anti-spoofing, SYN flood, ICMP redirects, and persistence.

~12 min read Advanced #sysctl #kernel #hardening #security #network

Kernel hardening (sysctl)

sysctl parameters change Linux kernel behavior without recompiling: network filtering, ICMP redirects, SYN protection, core dump control. On an Internet-exposed HolyCloud Linux VPS, a reasonable sysctl profile reduces the attack surface — in addition to UFW, Fail2ban, and hardened SSH.

Prerequisites

HolyCloud VPS Ubuntu/Debian, root or sudo access
Understanding of impacts: some settings break routing, forwarding, or diagnostics (traceroute)
HolyCloud console or a second SSH channel before applying — errors rarely cause loss of access on exotic stacks
Backup of /etc/sysctl.conf and tests after reboot

Warning: If this VPS acts as a router, VPN (WireGuard), or Docker bridge, adapt ip_forward and related rules — do not blindly copy a « web server » profile.

Step 1: Current state

sysctl -a 2>/dev/null | wc -l
sysctl net.ipv4.ip_forward
sysctl net.ipv4.conf.all.rp_filter
ls /etc/sysctl.d/

Backup:

sudo cp /etc/sysctl.conf /etc/sysctl.conf.bak.$(date +%F)

Step 2: Network hardening file (IPv4)

sudo nano /etc/sysctl.d/99-holycloud-hardening.conf

# Reverse path filtering (anti-spoofing) — OK if a single interface routes by default
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP redirects (avoids redirect attacks)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Do not send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Ignore ICMP broadcast packets
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# SYN cookies (SYN flood mitigation)
net.ipv4.tcp_syncookies = 1

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

Step 3: Kernel and memory limits

sudo nano /etc/sysctl.d/98-holycloud-limits.conf

# No core dumps for setuid processes (information leak)
fs.suid_dumpable = 0

# Random addresses (ASLR) — usually already 2
kernel.randomize_va_space = 2

# Restrict dmesg to privileged users
kernel.dmesg_restrict = 1

# Prevent unprivileged users from loading new kernel modules (if modules are used)
kernel.modules_disabled = 0

# Increase file descriptors for high-traffic servers
fs.file-max = 2097152

For a heavily loaded web server, also adjust (same file or separate):

net.core.somaxconn = 65535
net.ipv4.tcp_max_syn_backlog = 8192
net.ipv4.ip_local_port_range = 1024 65535

Step 4: IPv6 (optional)

If you do not use IPv6:

sudo nano /etc/sysctl.d/97-disable-ipv6.conf

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

Otherwise, apply the same accept_redirects rules as for IPv4 (already in the file in step 2).

Step 5: Apply and persist

sudo sysctl --system
sysctl net.ipv4.tcp_syncookies
sysctl net.ipv4.conf.all.rp_filter

Check for conflicts (last file wins by lexicographic order):

grep -r . /etc/sysctl.d/ /etc/sysctl.conf 2>/dev/null | grep -v '^#'

Step 6: HolyCloud special cases

WireGuard / NAT: keep:

net.ipv4.ip_forward = 1

Docker: Docker often rewrites iptables and ip_forward; test containers after hardening.

Web server only: ip_forward = 0 (default) is correct.

Step 7: Audit after reboot

sudo reboot

After reconnecting:

sysctl net.ipv4.tcp_syncookies net.ipv4.conf.all.rp_filter
sudo dmesg | grep -i martian | tail -10
curl -I https://exemple.fr
ssh -v localhost 2>&1 | tail -5

Verification

sudo sysctl --system 2>&1 | tail -5
for key in net.ipv4.tcp_syncookies net.ipv4.conf.all.accept_redirects kernel.randomize_va_space; do
  echo "$key=$(sysctl -n $key)"
done

Expected values: tcp_syncookies=1, accept_redirects=0, randomize_va_space=2.

HolyCloud support

VPN connectivity lost after sysctl: re-enable ip_forward, check rp_filter on the tunnel interface
Applications accepting few connections: reduce somaxconn or increase per ss -s
Many martian logs: attack or bad route — ip route, HolyCloud network config
HolyCloud support: /etc/sysctl.d/*.conf files, sysctl -a | grep -E 'forward|rp_filter|syncookies' output, VPS role (web/VPN/Docker)

Web Hosting

Email Addresses

VoIP Telephony

Dedicated Servers

VPS

Datacenter

Our Datacenters

Our Locations

Network

Anti-DDoS Protection

Kernel hardening (sysctl)

Kernel hardening (sysctl)

Prerequisites

Step 1: Current state

Step 2: Network hardening file (IPv4)

Step 3: Kernel and memory limits

Step 4: IPv6 (optional)

Step 5: Apply and persist

Step 6: HolyCloud special cases

Step 7: Audit after reboot

Verification

HolyCloud support