Harden the kernel's network stack
A server's sysctl settings still route between interfaces and accept ICMP redirects. Lock the kernel network parameters down for a host that isn't a router.
Scenario
A plain application server still has kernel network defaults that suit a router, not a host: it forwards packets between interfaces, accepts ICMP redirects (which can be used to reroute its traffic), and doesn't filter spoofed source addresses.
Your job
In sysctl.conf, set these to the hardened values for a non-router host:
net.ipv4.conf.all.rp_filter = 1(reverse-path filtering)net.ipv4.conf.all.accept_redirects = 0andnet.ipv4.conf.all.send_redirects = 0net.ipv4.ip_forward = 0net.ipv4.tcp_syncookies = 1
What "done" looks like
Reverse-path filtering on, redirects off (both directions), forwarding off, SYN cookies on.
Graded on the configuration's shape, not a live kernel.
Teaches: kernel network hardening: a host that isn't a router shouldn't forward or honor redirects, and
rp_filterplus SYN cookies blunt spoofing and SYN floods.
What gets checked
Your solution is verified against each of these:
- Reverse-path filtering is enabled (rp_filter = 1)
- ICMP redirects are neither accepted nor sent
- IP forwarding is disabled (the host is not a router)
- TCP SYN cookies are enabled
Solve it in your browser
No setup, no install. Write your solution in the editor and hit Check. The in-house engine renders and grades it instantly, then issues your proof the moment every check passes.
Solve in browser →Prefer your own lab?
- Build the fix locally. New to the tooling? See setting up your lab.
- Push your topology file, device configs, and any playbooks to a public repo (GitHub or GitLab).
- Submit the repo link. We review it by hand, confirm it works, and issue your proof page.