Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: Sysctl hardening tweaks, 99_magic_sysrq.conf, net.ipv4.icmp_echo_ignore_all=1 (Read 1045 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

Sysctl hardening tweaks, 99_magic_sysrq.conf, net.ipv4.icmp_echo_ignore_all=1

  Hello guys, Merry Christmas  :) I wanna tweak those kernel parameters, hardening some things related to networking and for the kernel also. Now i'm seeing a file that suppose to be edited
/etc/sysctl.d/99_magic_sysrq.conf if i'm not wrong.
  The question is i have to create a new "file.conf" or just edit "99_magic_sysrq.conf" where i should add my tweaked desired parameters? I've found a guide what i consider a good one. (can be found here)
  Also would be nice if guys more knowledgeable on these parameters can review if the guide i'm following would indeed harden the system or if there is a better guide somewhere else. Thanks for any clue you guys can have over this topic. Cheers!!! ;)

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #1
Searched deeper into arch wiki and found that to load sysctl kernel parameters permanently we have to add those lines inside
99-sysctl.conf, but on artix we only have "99_magic_sysrq.conf"  so i assume this is the file to be edited. Also can be added a file inside
"/etc/sysctl.d/" from where those syctl parameters can be read.  8)

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #2
Code: [Select]
man sysctl

Files in /etc/sysctl.d are handled by sysctl(1). For example, 66 calls sysctl --system.

As with any *.d/*.conf, the naming doesn't matter. The .conf files in such directories will all be sourced alphabetically (hence the numbers at the start of the files).

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #3
I think i can put my new sysctl.conf in /etc/ as when i'm doing #sysctl -p to reload rules i'm getting complain it's not in /etc/ so i put it there so it will not complain?  :D

edit: yes it worked :D tnx, it's ok now those params were changed hope they will be there after a reboot.. will come with another edit when i will reboot :D tnx again

edit2: it worked as expected creating sysctl.conf in /etc/

All new params were loaded at boot so they are persistent

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #4
Hi all. After creating syctl.conf in /etc/ and placing my desired sysctl values all seem to work fine except "net.ipv4.icmp_echo_ignore_all=1"  that ignores pings toward my system. Is this in any way related to dhclient from where i'm getting my wired internet connection via router? Sometimes when i issue "dhclient -eth0" and fails (when i have my ethernet wire loose) i get some output like ...ping for x seconds.....blah blah bla, so dhclient must be using "net.ipv4.icmp_echo_ignore_all=0" changing my "=1" value. Can this be the cause? Tnx and Happy New Year if we will not see till next year :D

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #5
Code: [Select]
man 7 icmp
Quote
   /proc interfaces
       ICMP supports a set of /proc  interfaces  to  configure  some
       global  IP  parameters.   The  parameters  can be accessed by
       reading    or    writing    files    in     the     directory
       /proc/sys/net/ipv4/.  Most of these parameters are rate limi‐
       tations for specific ICMP types.   Linux  2.2  uses  a  token
       bucket  filter  to  limit ICMPs.  The value is the timeout in
       jiffies until the token bucket  filter  is  cleared  after  a
       burst.   A  jiffy is a system dependent unit, usually 10ms on
       i386 and about 1ms on alpha and ia64.
[...]
       icmp_echo_ignore_all (since Linux 2.2)
              If this  value  is  nonzero,  Linux  will  ignore  all
              ICMP_ECHO requests.

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #6
But why it doesn't load this line "net.ipv4.icmp_echo_ignore_all=1" ? Everything else works just fine except this  :o .Kernel should apply that setting that i instructed to load and not "=0" but "=1"

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #7
Looks like the value must be changed also in /etc/ufw/sysctl.conf

 EDIT: Yeah it worked (after rebooting 100 times) by changing "net.ipv4.icmp_echo_ignore_all=1" in "/etc/ufw/sysctl.conf"

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf, net.ipv4.icmp_echo_ignore_all=1

Reply #8
The quoted part of the manpage details that the kernel exposes the parameter through a /proc pseudo-file system. That means that it can be changed by any other program on the system (given sufficient privileges), simply by writing to the corresponding file. As you found out, by ufw as well.

 

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf, net.ipv4.icmp_echo_ignore_all=1

Reply #9
 True, but not always is very easy to determine what other .conf should be edited because many packages are involved in the networking part of the system so this can prove  tricky. I know there is a more reliable way to edit before.rules from iptables if i remember correctly. Tnx for the replies @strajder  :P