How to Harden the Linux Kernel with sysctl on RHEL 7

How to Harden the Linux Kernel with sysctl on RHEL 7

The Linux kernel exposes hundreds of tunable parameters through the /proc/sys/ virtual filesystem, and the sysctl utility provides a clean interface for reading and setting those values at runtime and persistently across reboots. Many of these parameters have direct security implications: they control whether the kernel accepts ICMP redirects from untrusted sources, whether it uses address space layout randomisation (ASLR) to make memory exploitation harder, whether it enables syncookie protection against SYN flood attacks, and whether it drops packets that fail source address validation. On Red Hat Enterprise Linux 7, configuring a hardened set of kernel parameters is a foundational step in any server security baseline and is required by frameworks such as CIS Benchmarks, DISA STIG, and PCI-DSS. This tutorial covers the most impactful network and kernel security parameters, explains what each one does, and shows you how to apply them persistently.

Prerequisites

• RHEL 7 system with root access.
• The procps-ng package, which provides sysctl (installed by default on RHEL 7).
• Basic understanding of TCP/IP networking concepts.
• No active network sessions that would be disrupted by the network changes (all parameters in this guide are non-disruptive to established sessions).

Step 1: Understanding sysctl Configuration Files

Kernel parameters can be set in two ways: transiently at runtime with sysctl -w (lost on reboot) or persistently in configuration files that are applied at boot time.

On RHEL 7, persistent sysctl configuration is loaded from:

• /etc/sysctl.conf — The primary, traditional configuration file.
• /etc/sysctl.d/*.conf — Drop-in directory for modular configuration. Files are loaded in lexicographic order before /etc/sysctl.conf.

The recommended practice on RHEL 7 is to place your customisations in a file under /etc/sysctl.d/ rather than editing /etc/sysctl.conf directly, so your changes remain separate from any distribution-managed settings:

# View all current sysctl values
sysctl -a

# Read a specific value at runtime
sysctl net.ipv4.tcp_syncookies

# Set a value transiently (runtime only, lost on reboot)
sysctl -w net.ipv4.tcp_syncookies=1

# Apply all settings from the persistent configuration files
sysctl -p /etc/sysctl.d/99-hardening.conf

Step 2: Enable SYN Cookie Protection

A SYN flood attack exhausts the server’s connection queue by sending thousands of TCP SYN packets without completing the three-way handshake. The tcp_syncookies parameter enables the SYN cookies mechanism: when the connection backlog is full, the kernel generates a cryptographically protected cookie in the SYN-ACK sequence number, allowing legitimate connections to complete without requiring backlog queue space.

# /etc/sysctl.d/99-hardening.conf

# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1

This should be enabled on virtually every internet-facing server. It has negligible performance impact under normal traffic and significantly improves resilience during a SYN flood.

Step 3: Enable Reverse Path Filtering

Reverse Path Filtering (RPF) causes the kernel to discard incoming packets whose source address cannot be reached via the interface on which they arrived. This defeats IP spoofing attacks where an attacker forges the source address of packets to bypass IP-based access controls or to reflect traffic at a third-party victim.

# Strict mode (1): discard if the reverse path does not match the incoming interface
# Loose mode (2): discard only if the source is unreachable on any interface
# Disabled (0): no check

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

Use strict mode (1) on single-homed servers. On routers or servers with multiple network interfaces that legitimately receive asymmetrically routed traffic, use loose mode (2) to avoid dropping valid packets.

Step 4: Disable ICMP Broadcast Responses

The Smurf attack is a DDoS amplification technique where an attacker sends ICMP echo requests (pings) with a spoofed source address to a network broadcast address. Every host on the network responds to the broadcast, flooding the spoofed victim with ICMP echo replies. Disabling broadcast responses eliminates your server as a potential amplifier.

# Ignore ICMP echo requests to broadcast/multicast addresses
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Ignore bogus ICMP error responses (reduces log spam from misconfigured hosts)
net.ipv4.icmp_ignore_bogus_error_responses = 1

Step 5: Enable Address Space Layout Randomisation (ASLR)

ASLR randomises the memory addresses used by the stack, heap, and shared libraries each time a process starts. This makes it significantly harder for an attacker who has found a buffer overflow or use-after-free vulnerability to predict where their shellcode or return-oriented programming gadgets will be in memory.

# ASLR settings:
# 0 = disabled (never use)
# 1 = randomise stack and libraries, but not heap
# 2 = full randomisation (stack, heap, and libraries) — recommended

kernel.randomize_va_space = 2

Full ASLR (2) is the default on RHEL 7 but is worth explicitly declaring in your hardening configuration to ensure it cannot be accidentally disabled and to document the deliberate security decision.

Step 6: Disable Core Dumps for Set-UID Programs

Set-UID (SUID) programs run with elevated privileges. If such a program crashes and generates a core dump, the dump can contain sensitive data (cryptographic keys, password hashes, session tokens) from the privileged process’s memory. Setting fs.suid_dumpable to 0 prevents core dumps from SUID programs.

# Core dump settings:
# 0 = no core dumps for SUID/SGID programs — recommended
# 1 = allow core dumps (debugging; never in production)
# 2 = managed dumps (core files readable only by root)

fs.suid_dumpable = 0

Pair this with setting hard core 0 in /etc/security/limits.conf (via PAM) to suppress core dumps for all users.

Step 7: Disable ICMP Redirect Acceptance

ICMP redirect messages tell a host to update its routing table to use a different gateway for a specific destination. An attacker on the local network can send forged ICMP redirects to poison the routing table of your server, redirecting traffic through an attacker-controlled host. Disabling redirect acceptance prevents this class of attack.

# Disable accepting ICMP redirects (all interfaces)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0

# Also disable for IPv6 if in use
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Disable sending ICMP redirects (only relevant if the host acts as a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Step 8: Additional Recommended Network Parameters

Several other parameters round out a solid network hardening baseline:

# Disable IP source routing (prevents attackers from specifying the packet route)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable TCP timestamps (assists with round-trip time estimation;
# disable if uptime disclosure is a concern)
net.ipv4.tcp_timestamps = 0

# Protect against TIME_WAIT assassination
net.ipv4.tcp_rfc1337 = 1

# Log martian packets (packets with impossible source addresses)
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Disable IPv6 if not in use (reduces attack surface)
# Only set these if your environment genuinely does not use IPv6
# net.ipv6.conf.all.disable_ipv6 = 1
# net.ipv6.conf.default.disable_ipv6 = 1

Step 9: Write and Apply the Complete Configuration File

Consolidate all the parameters into a single drop-in file:

cat > /etc/sysctl.d/99-hardening.conf <<'EOF'
# RHEL 7 Kernel Hardening Parameters
# Applied by sysctl -p /etc/sysctl.d/99-hardening.conf

# --- Network: SYN flood protection ---
net.ipv4.tcp_syncookies = 1

# --- Network: Reverse path filtering ---
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# --- Network: ICMP broadcast protection ---
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# --- Network: Disable ICMP redirect acceptance ---
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# --- Network: Disable ICMP redirect sending ---
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# --- Network: Disable source routing ---
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# --- Network: Log martian packets ---
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# --- Network: TCP protections ---
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_timestamps = 0

# --- Kernel: Full ASLR ---
kernel.randomize_va_space = 2

# --- Kernel: Disable SUID core dumps ---
fs.suid_dumpable = 0
EOF

Apply the settings immediately without rebooting:

sysctl -p /etc/sysctl.d/99-hardening.conf

You will see each parameter echoed back as it is applied. Verify a specific value was taken:

sysctl net.ipv4.tcp_syncookies
sysctl kernel.randomize_va_space

To apply all configuration files from all locations at once:

sysctl --system

Step 10: Verify the Settings Persist Across Reboots

After a reboot, confirm the settings are still in effect:

reboot

# After coming back online:
sysctl net.ipv4.tcp_syncookies
sysctl net.ipv4.conf.all.rp_filter
sysctl kernel.randomize_va_space
sysctl fs.suid_dumpable

If a value reverts to its default, check that no other configuration file in /etc/sysctl.d/ is overriding your setting. Files are loaded in lexicographic order, so 99-hardening.conf will override most distribution defaults (which are typically numbered lower), but a package-installed file with a higher number could override yours.

# Check for conflicting files
grep -r "tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/

Conclusion

Kernel parameter hardening via sysctl is one of the cheapest security improvements you can make on a RHEL 7 server: it requires no additional software, has negligible performance cost, and mitigates a wide range of network-level and local privilege escalation attack vectors. The parameters covered in this tutorial — SYN cookies, reverse path filtering, broadcast ICMP suppression, redirect acceptance, ASLR, and SUID core dump prevention — form the core of every major Linux security benchmark. By placing them in a dedicated drop-in file under /etc/sysctl.d/, you keep your hardening configuration self-contained, version-controllable, and easy to audit. After applying these settings, consider using a CIS Benchmark scanning tool such as OpenSCAP (yum install openscap-scanner scap-security-guide) to verify your entire security baseline and identify any remaining gaps.