Skip to content

Set Kernel Parameter to Increase Local Port Range

An XCCDF Rule

Description

To set the runtime status of the net.ipv4.ip_local_port_range kernel parameter, run the following command:

$ sudo sysctl -w net.ipv4.ip_local_port_range=32768 65535
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
net.ipv4.ip_local_port_range = 32768 65535

Rationale

This setting defines the local port range that is used by TCP and UDP to choose the local port. The first number is the first, the second the last local port number.

ID
xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_ip_local_port_range
Severity
Medium
References
Updated



Remediation - Ansible

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of net.ipv4.ip_local_port_range from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do