Hardening Options | Pars Enterprise Official

By admin, 27 April, 2025

Grsecurity Module

Grsecurity is an extensive security module and patch for the Linux kernel to prevent cyber attacks with many options for both desktop and server.

Grsecurity Kernel Parameters:

Auto, Desktop, KVM/Host, Performance
Checking Hide Kernel Process
Unchecking Enforce Non-Executable Kernel Logs
Unchecking Deny Read/Write KNEM
Unchecking MProtect

Gresecurity Setup with Administration Privilege:

Installing kernel-package, build-essential, patch, bin86, libncurses5-dev,gcc-*-plugin-dev, pax(./paxtest kiddie)
Login as root
cd /usr/src/linux-4.9.24
patch -p1
make menuconfig
make-kpkg clean
make-kpkg --initrd --append-to-version "grsec1.0" kernel_image
cd.. (cd /usr/src)
dpkg -i *.deb or ./*.deb or ../*.deb
reboot
sudo uname -r
dpkg --list | grep linux-image
apt-get remove --purge linux-image-*
journalctl -p err -b

There are a few tricks to protect logging system for more safety

Checking status: sudo passwd -S root
Locking root login: sudo passwd -l root
Unlocking root login: sudo passwd -u root
Jumping in root: sudo -i
FreeBSD: sudo pw lock root & sudo pw unlock root

SSH Hardening

Editing /etc/ssh/sshd_config with Administration Privilege to:

AllowUsers (username)

Protocol 2

ClientAliveCountMax 2

ClientAliveInterval 300

IgnoreRhosts yes

MaxAuthTries 3

PasswordAuthentication no

PermitEmptyPasswords no

PermitRootLogin no

Port 2222

UseDNS yes

X11Forwarding no

Server Sysctl Hardening

Editing /etc/sysctl.conf with Administration Privilege to:

# Controls IP packet forwarding

net.ipv4.ip_forward = 0

# Do not accept source routing

net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel

kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename

# Useful for debugging multi-threaded applications

kernel.core_uses_pid = 1

# Controls the use of TCP syncookies

# Turn on SYN-flood protections

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_synack_retries = 5

########### IPv4 networking start ###############

# Send redirects, if router, but this is just server

# So no routing allowed

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

# Accept packets with SRR option? No

net.ipv4.conf.all.accept_source_route = 0

# Accept Redirects? No, this is not router

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.secure_redirects = 0

# Log packets with impossible addresses to kernel log? yes

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.default.accept_source_route = 0

net.ipv4.conf.default.accept_redirects = 0

net.ipv4.conf.default.secure_redirects = 0

# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast

net.ipv4.icmp_echo_ignore_broadcasts = 1

# Prevent against the common 'syn flood attack'

net.ipv4.tcp_syncookies = 1

# Enable source validation by reversed path, as specified in RFC1812

net.ipv4.conf.all.rp_filter = 1

# Controls source route verification

net.ipv4.conf.default.rp_filter = 1

########### IPv6 networking start ###############

# Number of Router Solicitations to send until assuming no routers are present.

# This is host and not router

net.ipv6.conf.default.router_solicitations = 0

# Accept Router Preference in RA?

net.ipv6.conf.default.accept_ra_rtr_pref = 0

# Learn Prefix Information in Router Advertisement

net.ipv6.conf.default.accept_ra_pinfo = 0

# Setting controls whether the system will accept Hop Limit settings from a router advertisement

net.ipv6.conf.default.accept_ra_defrtr = 0

#router advertisements can cause the system to assign a global unicast address to an interface

net.ipv6.conf.default.autoconf = 0

#how many neighbor solicitations to send out per address?

net.ipv6.conf.default.dad_transmits = 0

# How many global unicast IPv6 addresses can be assigned to each interface?

net.ipv6.conf.default.max_addresses = 1

########## IPv6 networking ends ##############

#Enable ExecShield protection

#Set value to 1 or 2 (recommended)

#kernel.exec-shield = 2

#kernel.randomize_va_space=2

# TCP and memory optimization

# increase TCP max buffer size setable using setsockopt()

#net.ipv4.tcp_rmem = 4096 87380 8388608

#net.ipv4.tcp_wmem = 4096 87380 8388608

# increase Linux auto tuning TCP buffer limits

#net.core.rmem_max = 8388608

#net.core.wmem_max = 8388608

#net.core.netdev_max_backlog = 5000

#net.ipv4.tcp_window_scaling = 1

# increase system file descriptor limit

fs.file-max = 65535

#Allow for more PIDs

kernel.pid_max = 65536

#Increase system IP port limits

net.ipv4.ip_local_port_range = 2000 65000

# RFC 1337 fix

net.ipv4.tcp_rfc1337=1

Client Sysctl Hardening

The sysctl is a utility which is used to manage networking and other low-level protective Linux kernel parameters at runtime.

This cheatsheet allows quickly secure currently running server thought this powerful tool.

The configuration file for sysctl is located at /etc/sysctl.conf and contains the values to be read and set on system boot. The below parameters assure security for most Linux servers:

net.ipv4.tcp_syncookies = 1

net.ipv4.icmp_echo_ignore_broadcasts = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.accept_source_route = 0

net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.all.log_martians = 1

net.ipv4.conf.all.send_redirects = 0

net.ipv4.tcp_fin_timeout = 30

net.ipv4.tcp_keepalive_time = 1800

Below is a description of sysctl directives used to secure server:

tcp_syncookies

This parameter can help to prevent SYN flood DDoS attacks by testing the validity of the SYN packets. For security reasons it is recommended to enable the parameter. Note that the process is conducted without consuming memory or connection resources.

ignore_broadcasts

A ping broadcast is used to see what hosts in LAN are up, but there are other ways to do this. It is safer to disable this option because ICMP (ping) broadcasts and multicasts are usually a sign of Smurf attack.

accept_redirects

The parameter allows to enable or disable ICMP redirects acceptance. ICMP redirects are important to routers, but can create security problems for servers, so it is recommended to set the parameter to off.

accept_source_route

Tells netfilter to accept or decline source routed packets. Source routed packets are security risk, because they can can allow routing packets through an untrusted or insecure interface.

rp_filter

This parameter controls reverse path filtering, which tries to ensure packets use legitimate source addresses. When is turned on it can prevent some IP spoofing attacks.

log_martians

The parameter allows to keep track of packets which could potentially indicate an attack on server. This packets are those that includes impossible IP addresses, bad source routing, bad redirect packets and others.

send_redirects

Enables or disables ICMP redirects which are used mainly by routers to send out ICMP redirects to other hosts. For security reasons, it is recommended to disable this option.

fin_timeout

Tells Netfilter how much seconds keep sockets in FIN-WAIT-2 state which means that connection is closed, and the socket is waiting for a shutdown from the remote end. Decreasing the value to 30 can avoid some DDoS attacks or other problems that arose from getting huge amounts of connections

tcp_keepalive_time

Tells the Netfilter how often to send TCP keepalive packets to keep an connection alive if it is currently unused. The value 1800, or 30 minutes, is a good value for most servers.

FreeBSD Hardening

System Hardening "Choose system security hardening options:"

Hide processes running as other users
- Editing /etc/sysctl.conf with Administration Privilege to:
- security.bsd.see_other_uids=0
Hide processes running as other groups
- Editing /etc/sysctl.conf with Administration Privilege to:
- security.bsd.see_other_gids=0
Hide processes running in jails
- Editing /etc/sysctl.conf with Administration Privilege to:
- security.bsd.see_jail_proc=0
Disable reading kernel message buffer for unprivileged users
- Editing /etc/sysctl.conf with Administration Privilege to:
- security.bsd.unprivileged_read_msgbuf=0
Disable process debugging facilities for unprivileged users
- Editing /etc/sysctl.conf with Administration Privilege to:
- security.bsd.unprivileged_proc_debug=0
Randomize the PID of newly created processes
- Editing /etc/sysctl.conf with Administration Privilege to:
- kern.randompid=1
Clean the /tmp filesystem on system startup
- Editing /etc/rc.conf with Administration Privilege to:
- clear_tmp_enable="YES"
Disable opening Syslogd network socket (disables remote logging)
- Editing /etc/rc.conf with Administration Privilege to:
- syslogd_flags="-ss"
Disable Sendmail service
- Editing /etc/rc.conf with Administration Privilege to:
- sendmail_enable="NONE"
Enable console password prompt
- Editing /etc/ttys with Administration Privilege to:
- s/unknown off secure/unknown off insecure/g
Disallow DTrace destructive-mode
- Editing /boot/loader.conf with Administration Privilege to:
- security.bsd.allow_destructive_dtrace=0

System Configuration "Choose the services you would like to be started at boot:"

local_unbound "Local caching validating resolver"
- Editing /etc/rc.conf with Administration Privilege to:
- local_unbound_enable="YES"
sshd "Secure shell daemon"
- Editing /etc/rc.conf with Administration Privilege to:
- sshd_enable="YES"
moused "PS/2 mouse pointer on console"
- Editing /etc/rc.conf with Administration Privilege to:
- moused_enable="NO"
ntpdate "Synchronize system and network time at bootime"
- Editing /etc/rc.conf with Administration Privilege to:
- ntpdate_enable="YES"
ntpd "Synchronize system and network time"
- Editing /etc/rc.conf with Administration Privilege to:
- ntpd_enable="YES"
powerd "Adjust CPU frequency dynamically if supported"
- Editing /etc/rc.conf with Administration Privilege to:
- powerd_enable="YES"
dumpdev "Enable kernel crash dumps to /var/crash"
- Editing /etc/rc.conf with Administration Privilege to:
- dumpdev="AUTO"