Kernel sysctl Hardening on an Anubiz Offshore VPS
The Linux kernel ships with safe defaults for a workstation but a public VPS benefits from tighter sysctl values: stricter source route handling, syncookies for SYN flood resilience, kptr_restrict to hide kernel pointers, kernel.dmesg_restrict to prevent unprivileged users reading the kernel log. This guide is one drop-in file you can place on any Anubiz Ubuntu 24.04 VPS to apply a vetted set of values.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Step 1: Drop-In File
Create /etc/sysctl.d/99-anubiz-harden.conf with the values below. sysctl --system applies.
Step 2: Network Stack
net.ipv4.tcp_syncookies=1, net.ipv4.tcp_rfc1337=1, net.ipv4.conf.all.rp_filter=1, net.ipv4.conf.all.accept_source_route=0, net.ipv4.conf.all.accept_redirects=0, net.ipv4.conf.all.secure_redirects=0, net.ipv4.conf.all.log_martians=1. Mirror for ipv6.
Step 3: Kernel Visibility
kernel.kptr_restrict=2, kernel.dmesg_restrict=1, kernel.unprivileged_bpf_disabled=1, net.core.bpf_jit_harden=2.
Step 4: ASLR and Core Dumps
kernel.randomize_va_space=2 (already default), fs.suid_dumpable=0, kernel.core_pattern=|/bin/false to disable core dumps to disk.
Step 5: Verify
sysctl -a | grep -E 'syncookies|rp_filter|kptr_restrict' shows the applied values. Reboot once to confirm persistence.
Related Services
Why Anubiz Host
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.