CCNA HUB

CCNA and Linux Training Hub!

CCNA and Linux Training Hub!

  • Home
  • R&S
    • IP Fundamentals
    • Switching
    • Routing
    • IPv4 Suite
    • IPv6 Suite
    • Labs
  • Linux
    • Virtualization 101
    • Basic Configuration
    • Security Measures
    • Database Server
    • Web Server
    • HTTP Tuneup
    • FTP Server
    • Mail Server
    • DNS Server
    • Control Panels
    • Monitoring
    • Backup and Maintenance
  • WordPress
  • About
    • Contact Us
    • Be part of It
    • Under the Hood
CCNA HUB > Blog > Linux > Linux Hardening Rules and IPtables Firewall > Applying Linux Kernel Hardening Rules

Applying Linux Kernel Hardening Rules

By Imad Daou 1 Comment

Post Views: 4,871

Building Professional Web Hosting Solution
<< Securing and Protecting Linux System Course
>> Linux Hardening Rules and IPtables Firewall Section

section table
  1. Preparing Linux Script Startup Environment
  2. Applying Linux Kernel Hardening Rules
  3. Applying System and Network Tuneup Rules
  4. Implementing Stateful Firewall Using IPtables
  5. Redirecting IPtables Firewall Logging Location
  6. Testing IPtables using Nmap Scanning Tool
  7. Logging and Trapping Port Scanning Tools
Image Source
Image Source

Implementing Security measures will be a major part of my Web Hosting Solution. Applying Linux Kernel Hardening Rules will be Security Layer1 before IPtables Stateful Firewall. Briefly, hardening your VPS System and Network configuration is a must step. Linux Kernel is your Linux OS core, it manages all Hardware or Virtual components such CPU, Memory, Storage and Network Rules, hence, that’s your first place to start with.

Objectives:

1. Understanding Linux Kernel Hardening

2. Applying Linux Latest Kernel Updates

3. Applying Linux Kernel Hardening Rules

Prerequisites:

A. Basic Debian and Red Hat System Knowledge

B. Login to your DigitalOcean or Vultr Account

C. Preparing Linux Script Startup Environment

Recommendations:

1. For better performance, use VPS with at least 2 CPUs, 4G Memory, 1G Bandwidth, and SSD Storage drive.

2. All public VPS Nodes must equipped with Web command line Interface, hence, login to the web interface and have it ready in case you need to stop the Firewall. Everything was tested and it should not lock you out or terminate the SSH session, but just to be on the safe side, have the web command line interface ready.

Table of Contents

  • Understanding Linux Kernel Hardening
  • Applying Linux Latest Kernel Updates
  • Applying Linux Kernel Hardening Rules

Understanding Linux Kernel Hardening

The Linux kernel is the Core of every Linux system. With its extensive configuration options, it allows you to tweak specific settings to further harden your VPS system. In this Lab, I will focus on Linux kernel configuration entries that support additional hardening to your system, as well as how to apply and save the rules.

Kernel as Layer 1 Security of Defense

A broad System hardening consists of too many layers to harden, starting by Kernel Rules, keep the system updated, detection and prevention, minimizing services, removing unneeded services, and so on.

The main goal, is to prevent unauthorized users accessing your system, therefore, using layers of security is the best approach to protect your VPS. This strategy, will help you enforce security measures at different layers, and makes the protection process easier to apply or manage.

The Main Goal

The first thing comes to my mind is Web Hosting Services, and since I know that I am going to Harden “Web Hosting Solution”, the focus would be toward protecting the services that run the WHS. After going through the Hardening Rules, you will know what I am talking about. The Rules were picked especially for a Single Server that might run services needed by a Web Hosting Solution.

Therefore ,the various Labs will go into each layer of security measures needed, and show you the importance of knowing what you need to secure/harden and why. For instance, my first layer to protect my VPS would be kernel rules, second is Stateful Firewall, third is Intrusion Detection and Prevention, forth is Auditing, and so on.

Applying Linux Latest Kernel Updates

Note: First, let’s make sure you have the latest kernel update. Don’t upgrade to the latest distribution, just update. If you find kernel updates, install them and reboot. If it says Kernel is already the newest version, no need to reboot; continue the steps below.

Debian Based

Run the following steps (1 to 3)

1. Install DKMS (Dynamic Kernel Virtual Support)

apt-get update && apt-get install dkms build-essential

2. Install Latest Generic Kernel Image

apt-get install linux-image-`uname -r` linux-headers-$(uname -r) linux-headers-`uname -r`

3. Reboot If Kernel Updates Applied

reboot

Red Hat Based

Run the following steps (1 to 6)

1. Import the GPG keys

rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*

2. Install Updates

yum update

3. Install Development Tools

yum groupinstall 'Development Tools'

4. Install Dynamic Kernel Module Support

yum install dkms gcc make kernel-devel

5. Check for kernel Updates

yum install kernel*

6. Reboot If Kernel Updates Applied

reboot

Applying Linux Kernel Hardening Rules

The most 3 known methods to apply kernel rules:

  • Method1: Straight at the command line – Rules got executed right a way.
  • Method2: Edit /etc/sysctl.conf file – Save and execute all rules using one command.
  • Method3: Apply Rules as Script at the startup – Flexible, can be executed after certain scripts.

Understanding Kernel Rules ON/OFF Switch

### Rules ON/OFF Switch Values ###
# 0 (zero) -> Rule Disabled / OFF
# 1 (one)  -> Rule Enabled / ON

I am going to show you all methods. For instance, let’s say you want to disable pinging your VPS globally through any interface, you can use an ignore rule which will ignore ICMP response.

Method1: Straight at the command line

Run the following steps (1 to 3)

If you have worked on Cisco Routers or Switches, applying kernel Rules using command line is similar using Cisco config mode. The commands applied on the system right way the moment you hit enter.

1. First, view the Kernel Rule value

sysctl -a | grep -i net.ipv4.icmp_echo_ignore_all

The default value output should carry 0 value as shown below:

net.ipv4.icmp_echo_ignore_all = 0

2. Apply Ping Ignore Rule using 1 value

But before you apply, try to ping your VPS, see if it response. It should response, then apply the rule and try again.

TIP: If you are Windows User, open cmd type ping YOUR-VPS-IP-ADDRESS -t, the switch -t will keep the ping continuously running.

sysctl -w net.ipv4.icmp_echo_ignore_all=1

At my windows cmd command line, I got “Request time out” the moment I applied the rule.

3. Disable the Rule using 0 value

sysctl -w net.ipv4.icmp_echo_ignore_all=0

Now, try to ping your VPS again, “Reply from…” message indicates that pinging is going through. So, I just showed you method1, however, if your VPS Linux get restarted, you will lose the kernel rule configuration, therefore, at method 2 you will be able to save and apply the custom kernel rules if the VPS restarted.

Note: Method1 won’t give you the chance to save your rules, use method2 to save your rules in a configuration file, or method3 to run the rules as script every time the VPS reboots.

Method2: Edit /etc/sysctl.conf file

sysctl.conf file is the default location to add, save, and run kernel rules. Technically, it’s an Executable file dedicated only for Kernel Rules. Besides, it allows you to associate multiple values to a single rule if needed. For example, net.ipv4.ip_local_port_range = 2000 65000.

Run the following steps (1 to 3)

Assuming you tested Ping ignore rule and you ready to add it to sysctl.conf file:

1. Edit sysctl.conf file

nano /etc/sysctl.conf

2. Add Pinging Ignore Rule

Add it to the end of the file.

# Disable Globally Ping Response from Public or Private Networks.
net.ipv4.icmp_echo_ignore_all = 1

Save: Ctrl-X, Hit Y Key, and Enter

3. Apply The Rules 

sysctl -p /etc/sysctl.conf

You will the see the output of applied rules.

Method3: Apply Rules as Script at the startup

I prefer Method3 since it allows me to run it after or before another script.

TIP: when it comes to multiple values using single kernel rule, I use echo command inside the script. You will notice the echo command being used when I need to associate multiple values with a single kernel rule.

Run the following steps (1 to 7)

1. Create IPtables Workspace Folder

Note: please keep the directory name iptables since all scripts will point to this directory.

mkdir -p /etc/network/iptables

2. Create a kernel-hardening-rules.sh Script

nano /etc/network/iptables/kernel-hardening-rules.sh

Click the following Kernel Rules Script, select all, copy, and paste its content inside the newly created script kernel-hardening-rules.sh window.

Kernel Hardening Rules Script

I recommend reading the Kernel Rules Script to further understand its functions.

Save: Ctrl-X, Hit Y Key, and Enter

3. Apply Execution Permission

chmod +x /etc/network/iptables/kernel-hardening-rules.sh

4. Allow Only Root Access to Scripts

chmod 700 -R /etc/network/iptables

5. Apply Kernel Hardening Rules

/etc/network/iptables/kernel-hardening-rules.sh

It should apply fine using KVM VPS, however, if you see any problems applying on OpenVZ VPS, then contact your OpenVZ VPS provider.

kernel.msgmnb = 65535
kernel.msgmax = 65535
fs.suid_dumpable = 0
kernel.randomize_va_space = 2
kernel.kptr_restrict = 1
net.ipv4.icmp_echo_ignore_all = 0
sysctl: cannot stat /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose: No such file or directory
net.netfilter.nf_conntrack_tcp_loose = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.ip_forward = 0
net.ipv4.conf.all.forwarding = 0
net.ipv4.conf.default.forwarding = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.default.forwarding = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.tcp_fin_timeout = 7
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.tcp_timestamps = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv4.icmp_echo_ignore_all = 0

Note: cannot stat error related to the fact that ip_conntrack_tcp_loose is known by Ubuntu and CentOS as nf_conntrack_tcp_loose instead, so you can skip that error if you use Ubuntu or CentOS. If you look at the next line, you would find that the rule already was applied using nf_conntrack_tcp_loose.

6. Add Kernels Hardening Rules to Startup

By Adding the kernel Hardening Script path to the end of custom-scripts.sh file.

Edit custom-scripts.sh file

nano /etc/init.d/custom-scripts.sh

It should look like this:

#!/bin/bash
### BEGIN INIT INFO
# Provides:          custom-scripts
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: custom-scripts
# Description:       Applying Customized Startup Scripts
### END INIT INFO
echo
echo "Applying Customized Startup Scripts..."
echo
#################################################
# Write down your script's path below
# Kernel Hardening Rules
/etc/network/iptables/kernel-hardening-rules.sh

Save: Ctrl-X, Hit Y Key, and Enter

7. Edit sysctl.conf Kernel Rules

Since I am going to use a script to apply Kernel Hardening Rules (Method3), I need to disable any enabled kernel rules inside sysctl.conf file. Go through the file slowly and look for any enabled kernel rules. Use hash sign to disable the rule. DigitalOcean or Vultr might have recommended rules, disable all of them using the hash sign.

nano /etc/sysctl.conf

E.g. the following rules are disabled by using the hash # sign. 

# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0

# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1

Save: Ctrl-X, Hit Y Key, and Enter

Subject Related

By Wikipedia Hardening Systems | Arch Hardening Best Practices | Debian Hardening Rules | SANS Institute | NixCraft

Building Professional Web Hosting Solution
<< Securing and Protecting Linux System Course
>> Linux Hardening Rules and IPtables Firewall Section

section table
  1. Preparing Linux Script Startup Environment
  2. Applying Linux Kernel Hardening Rules
  3. Applying System and Network Tuneup Rules
  4. Implementing Stateful Firewall Using IPtables
  5. Redirecting IPtables Firewall Logging Location
  6. Testing IPtables using Nmap Scanning Tool
  7. Logging and Trapping Port Scanning Tools
  • Was this information helpful?
  • Yes(0)   No(0)
Get Linux Updates!

tux_toilet

Filed Under: Linux, Linux Hardening Rules and IPtables Firewall Tagged With: Linux Security, IPtables Firewall

About Imad Daou

CCNA HUB Founder, Imad has been in IT field since 2007. Currently holding A+, Network+, Server+, Security+, and Storage+. HP, Dell, and IBM Hardware Certified. Pursuing Linux+, LPIC-2, RHCSA, RHCE, AWS, CCNA, and JNCIA.

DISCUSSION

  1. huseldusel author says

    September 24, 2017 at 3:31 AM

    thank you!

    Reply Report comment

LEAVE A COMMENT Cancel reply

We're glad you have chosen to leave a comment. All comments are moderated according to our comment policy. Use your real name and not keywords in the name field. Let's have a personal and meaningful conversation.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Categories

Get CCNA HUB Updates!

MISSION

CCNA, Linux, and Wordpress Training Hub. For Students, Network Pros, DevOps, Linux/Wordpress Lovers, and Entrepreneurs. CCNA HUB Articles and Labs will help you build a solid foundation in Network, Linux, and Wordpress. E.g. Linux WHS will show you how to build a Professional Web Hosting Solution using DigitalOcean or Vultr VPS provider.

TAG CLOUD

wordpress.org CMS wide area network understanding switching udp sockets sudo WAN Wordpress Multisite switches VLSM su wordpress CMS SSH Client tcp sockets SSH Agent Forwarding transport layer Wordpress Hosting Hub VPS Hosting T1 understanding Routing subnet mask TCP/IP virtual circuit TCP transmission control protocol transport layer protocols

RSS UPDATES

  • IP Fundamentals
  • CCNA R&S
  • CCNA Labs
  • Linux WHS
  • Wordpress
  • All CCNA HUB Topics

Copyright © 2023 ·Genesis Sample Theme - Genesis Framework by StudioPress - WordPress - Log in

This website uses cookies. By continuing to browse the site, you are agreeing to our use of cookies
  • Home
  • R&S
    • IP Fundamentals
    • Switching
    • Routing
    • IPv4 Suite
    • IPv6 Suite
    • Labs
  • Linux
    • Virtualization 101
    • Basic Configuration
    • Security Measures
    • Database Server
    • Web Server
    • HTTP Tuneup
    • FTP Server
    • Mail Server
    • DNS Server
    • Control Panels
    • Monitoring
    • Backup and Maintenance
  • WordPress
  • About
    • Contact Us
    • Be part of It
    • Under the Hood