Sysctl hardening tweaks, 99_magic_sysrq.conf, net.ipv4.icmp_echo_ignore

Topic: Sysctl hardening tweaks, 99_magic_sysrq.conf, net.ipv4.icmp_echo_ignore_all=1 (Read 1044 times) previous topic - next topic

0 Members and 2 Guests are viewing this topic.

Sysctl hardening tweaks, 99_magic_sysrq.conf, net.ipv4.icmp_echo_ignore_all=1

23 December 2021, 19:21:54

Hello guys, Merry Christmas

I wanna tweak those kernel parameters, hardening some things related to networking and for the kernel also. Now i'm seeing a file that suppose to be edited
/etc/sysctl.d/99_magic_sysrq.conf if i'm not wrong.
The question is i have to create a new "file.conf" or just edit "99_magic_sysrq.conf" where i should add my tweaked desired parameters? I've found a guide what i consider a good one. (can be found here)
Also would be nice if guys more knowledgeable on these parameters can review if the guide i'm following would indeed harden the system or if there is a better guide somewhere else. Thanks for any clue you guys can have over this topic. Cheers!!!

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #1 – 23 December 2021, 22:26:48

Searched deeper into arch wiki and found that to load sysctl kernel parameters permanently we have to add those lines inside
99-sysctl.conf, but on artix we only have "99_magic_sysrq.conf" so i assume this is the file to be edited. Also can be added a file inside
"/etc/sysctl.d/" from where those syctl parameters can be read.

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #2 – 23 December 2021, 22:44:52

Code: [Select]

man sysctl

Files in /etc/sysctl.d are handled by sysctl(1). For example, 66 calls sysctl --system.

As with any *.d/*.conf, the naming doesn't matter. The .conf files in such directories will all be sourced alphabetically (hence the numbers at the start of the files).

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #3 – 24 December 2021, 00:40:27

I think i can put my new sysctl.conf in /etc/ as when i'm doing #sysctl -p to reload rules i'm getting complain it's not in /etc/ so i put it there so it will not complain?

edit: yes it worked

tnx, it's ok now those params were changed hope they will be there after a reboot.. will come with another edit when i will reboot

tnx again

edit2: it worked as expected creating sysctl.conf in /etc/

All new params were loaded at boot so they are persistent

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #4 – 27 December 2021, 21:41:58

Hi all. After creating syctl.conf in /etc/ and placing my desired sysctl values all seem to work fine except "net.ipv4.icmp_echo_ignore_all=1" that ignores pings toward my system. Is this in any way related to dhclient from where i'm getting my wired internet connection via router? Sometimes when i issue "dhclient -eth0" and fails (when i have my ethernet wire loose) i get some output like ...ping for x seconds.....blah blah bla, so dhclient must be using "net.ipv4.icmp_echo_ignore_all=0" changing my "=1" value. Can this be the cause? Tnx and Happy New Year if we will not see till next year

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #5 – 27 December 2021, 22:02:08

Code: [Select]

man 7 icmp

Quote

   /proc interfaces
   ICMP supports a set of /proc interfaces to configure some
   global IP parameters.   The parameters can be accessed by
   reading or writing files in    the    directory
   /proc/sys/net/ipv4/. Most of these parameters are rate limi‐
   tations for specific ICMP types.   Linux 2.2 uses a token
   bucket filter to limit ICMPs. The value is the timeout in
   jiffies until the token bucket filter is cleared after a
   burst.   A jiffy is a system dependent unit, usually 10ms on
   i386 and about 1ms on alpha and ia64.
[...]
   icmp_echo_ignore_all (since Linux 2.2)
If this value is nonzero, Linux will ignore all
ICMP_ECHO requests.

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #6 – 27 December 2021, 22:41:05

But why it doesn't load this line "net.ipv4.icmp_echo_ignore_all=1" ? Everything else works just fine except this

.Kernel should apply that setting that i instructed to load and not "=0" but "=1"

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf

Reply #7 – 28 December 2021, 00:49:13

Looks like the value must be changed also in /etc/ufw/sysctl.conf

EDIT: Yeah it worked (after rebooting 100 times) by changing "net.ipv4.icmp_echo_ignore_all=1" in "/etc/ufw/sysctl.conf"

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf, net.ipv4.icmp_echo_ignore_all=1

Reply #8 – 28 December 2021, 09:37:11

The quoted part of the manpage details that the kernel exposes the parameter through a /proc pseudo-file system. That means that it can be changed by any other program on the system (given sufficient privileges), simply by writing to the corresponding file. As you found out, by ufw as well.

Re: Sysctl hardening tweaks, 99_magic_sysrq.conf, net.ipv4.icmp_echo_ignore_all=1

Reply #9 – 28 December 2021, 11:06:37

True, but not always is very easy to determine what other .conf should be edited because many packages are involved in the networking part of the system so this can prove tricky. I know there is a more reliable way to edit before.rules from iptables if i remember correctly. Tnx for the replies @strajder