ragged-rigid
ragged-rigid
ragged-rigid
ragged-rigid
Disabling the respons to ICMP ECHO requests @ www.digitalpains.net
api

Disabling the respons to ICMP ECHO requests

Posted in 06/01/2010 ¬ 1:08 pmh.ali.sogukpinarNo Comments »
feed
privacy

Responding to a ping request can not be the part of job definition for a production/critical server. For critical systems It is better not to publish information more than it is absolutely necessary. Disabling response to ICMP ECHO requests is a measure we can easily implement.

This behavior is controlled by icmp_echo_ignore_all kernel parameter. By default this parameter is set to 0. Any value other than 0 will disable the response to ICMP ECHO requests.

First let’s see what is the current value. As you can see below we can easily request that information from proc file system.

[root@lfscratch ~]# cat /proc/sys/net/ipv4/icmp_echo_ignore_all
0

Ip number of my test server is 192.168.5.19. When I try to ping it from another machine as it is expected, I do get a response to my requests

alis@advance17:~$ ping 192.168.5.19
PING 192.168.5.19 (192.168.5.19) 56(84) bytes of data.
64 bytes from 192.168.5.19: icmp_seq=1 ttl=64 time=1.20 ms
64 bytes from 192.168.5.19: icmp_seq=2 ttl=64 time=1.09 ms
64 bytes from 192.168.5.19: icmp_seq=3 ttl=64 time=1.05 ms
64 bytes from 192.168.5.19: icmp_seq=4 ttl=64 time=1.06 ms
^C
--- 192.168.5.19 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 1.051/1.104/1.206/0.069 ms

With following command we will set the icmp_echo_ignore_all parameter to 1. Our modification will be immediately in effect. When we try to ping again we will get messages saying that destination is not reachable.

[root@lfscratch ~]# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
alis@advance17:~$ ping 192.168.5.19                           
PING 192.168.5.19 (192.168.5.19) 56(84) bytes of data.        
From 192.168.5.101 icmp_seq=143 Destination Host Unreachable

You may think that we are finished but there is one more think we need to pay attention. Our modification at proc file system was immediate but not persistent. With the next reboot, value of icmp_echo_ignore_all will be reset to 0.

To make our change persistent we also need to add the following line to /etc/sysctl.conf file.

# Disable ICMP ECHO responses
net.ipv4.icmp_echo_ignore_all = 1

If you didn’t run the commands above for immediate change. You can use the command below. It will read read the content of sysctl.conf and apply it to the running kernel.

[root@lfscratch ~]# sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 4294967295
kernel.shmall = 268435456
net.ipv4.icmp_echo_ignore_all = 1
[root@lfscratch ~]#

Related posts:

  1. Keeping the old kernel as default after a kernel upgrade
  2. Disabling SELinux on CentOS
  3. How To Disable IPv6 In Ubuntu 9.10 Karmic Koala

service
Linux, Networking, Security, twitter, , , , tools

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">

 
feedback