You are not logged in.
Hi, can some please tell me how i can stop my netbook from showing up on ping requests.
I have Gufw installed and it is enabled.
But when i use shields up web site it tells me that my system replied to Ping (ICMP Echo) requests.
But all my ports are showing as steath.
Does this mean that i can get hacked.
Last edited by crunchman (2010-12-27 07:11:01)
Thanks
Crunchman
Running Crunchbang 10 Statler R20120207 backport on a Compaq Mini 702EA Netbook
Offline
By default Gufw allows any incoming ICMP packages, however there is no proper reason for denying ICMP packages. There are numerous other methods for checking if an host is up or not, so denying ICMP for security reason is an bit deprecated.
Also because ICMP is an total different protocol than TCP/IP (ssh,telnet,http,ftp), it is impossible to hack any computer using just ICMP packages.
If you're still determent to deny an incoming ICMP packages, you have to change the following lines from the file: /etc/ufw/before.rule
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPTinto
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROPOffline
Before anything else, are you using a router to connect to Internet? If so, you would need to configure the firewall at the router and any config at your netbook won't have any effect on the test you are using. If you do connect directly to the Internet with your netbook (which is uncommon) then you would need to edit the file '/etc/ufw/before.rules' and comment the ping request part:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
- closed account - gone to better places -
Offline
By default Gufw allows any incoming ICMP packages, however there is no proper reason for denying ICMP packages. There are numerous other methods for checking if an host is up or not, so denying ICMP for security reason is an bit deprecated.
Also because ICMP is an total different protocol than TCP/IP (ssh,telnet,http,ftp), it is impossible to hack any computer using just ICMP packages.
If you're still determent to deny an incoming ICMP packages, you have to change the following lines from the file: /etc/ufw/before.rule
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPTinto
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP -A ufw-before-input -p icmp --icmp-type source-quench -j DROP -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP -A ufw-before-input -p icmp --icmp-type echo-request -j DROPRoy thanks for the info.
Thanks
Crunchman
Running Crunchbang 10 Statler R20120207 backport on a Compaq Mini 702EA Netbook
Offline
I've had good results with arno's iptables firewall... (it's in the debian repo as well)...
Maybe you can give it a try...
Tuna
sed 's/stress/relaxation/g'
Privacy & Security on #!
Offline
I've had good results with arno's iptables firewall...
And how exactly do you know those results where good?
I'm so meta, even this acronym
Offline
Roy wrote:By default Gufw allows any incoming ICMP packages, however there is no proper reason for denying ICMP packages. There are numerous other methods for checking if an host is up or not, so denying ICMP for security reason is an bit deprecated.
Also because ICMP is an total different protocol than TCP/IP (ssh,telnet,http,ftp), it is impossible to hack any computer using just ICMP packages.
If you're still determent to deny an incoming ICMP packages, you have to change the following lines from the file: /etc/ufw/before.rule
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPTinto
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP -A ufw-before-input -p icmp --icmp-type source-quench -j DROP -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP -A ufw-before-input -p icmp --icmp-type echo-request -j DROPRoy thanks for the info.
Ok Done that and still have the same problem
Thanks
Crunchman
Running Crunchbang 10 Statler R20120207 backport on a Compaq Mini 702EA Netbook
Offline
By default Gufw allows any incoming ICMP packages, however there is no proper reason for denying ICMP packages. There are numerous other methods for checking if an host is up or not, so denying ICMP for security reason is an bit deprecated.
Also because ICMP is an total different protocol than TCP/IP (ssh,telnet,http,ftp), it is impossible to hack any computer using just ICMP packages.
If you're still determent to deny an incoming ICMP packages, you have to change the following lines from the file: /etc/ufw/before.rule
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT -A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT -A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT -A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPTinto
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP -A ufw-before-input -p icmp --icmp-type source-quench -j DROP -A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP -A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP -A ufw-before-input -p icmp --icmp-type echo-request -j DROPI use moblie broadband when im away that is what im using at the moment.I have done what you have said, but still have the same problem
Thanks
Crunchman
Running Crunchbang 10 Statler R20120207 backport on a Compaq Mini 702EA Netbook
Offline
Before anything else, are you using a router to connect to Internet? If so, you would need to configure the firewall at the router and any config at your netbook won't have any effect on the test you are using. If you do connect directly to the Internet with your netbook (which is uncommon) then you would need to edit the file '/etc/ufw/before.rules' and comment the ping request part:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
aaro, im using mobile broadband and have done this but have had no luck/quote
Thanks
Crunchman
Running Crunchbang 10 Statler R20120207 backport on a Compaq Mini 702EA Netbook
Offline
I've had good results with arno's iptables firewall... (it's in the debian repo as well)...
Maybe you can give it a try...Tuna
I will look into this thanks
Thanks
Crunchman
Running Crunchbang 10 Statler R20120207 backport on a Compaq Mini 702EA Netbook
Offline
aaro wrote:Before anything else, are you using a router to connect to Internet? If so, you would need to configure the firewall at the router and any config at your netbook won't have any effect on the test you are using. If you do connect directly to the Internet with your netbook (which is uncommon) then you would need to edit the file '/etc/ufw/before.rules' and comment the ping request part:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPTaaro, im using mobile broadband and have done this but have had no luck/quote
I think mobile broadband doesn't give you a direct connection to Internet, instead they connect you to an internal network and go through a /nat/router/proxy. To make sure of this, you should check the IP assigned to your machine, you can do this by typing this in a terminal: 'ifconfig' (you may nedd to use sudo). If the assigned IP is something like 192.168.XX.XX or 10.XX.XX.XX then you are connected through a router/nat/proxy. In that case there's nothing you can do to block pings from the Internet, and you don't need to worry about them because you are protected by your mobile isp router.
- closed account - gone to better places -
Offline
best way to disable ping response is to add the instruction into /etc/sysctl.conf, as so:
net.ipv4.conf.icmp_echo_ignore_all = 1this will disable ping responses from your machine but not from any networking hardware between your machine and the internet. those settings have to be configured on the hardware itself. so you'd want to ping your device IP on the LAN (e.g. 192.168.1.105) and not your external-facing IP to verify that this is working.
g'luck!
NOTICE: alloc: /dev/null: filesystem full
Offline
crunchman wrote:aaro wrote:Before anything else, are you using a router to connect to Internet? If so, you would need to configure the firewall at the router and any config at your netbook won't have any effect on the test you are using. If you do connect directly to the Internet with your netbook (which is uncommon) then you would need to edit the file '/etc/ufw/before.rules' and comment the ping request part:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPTaaro, im using mobile broadband and have done this but have had no luck/quote
I think mobile broadband doesn't give you a direct connection to Internet, instead they connect you to an internal network and go through a /nat/router/proxy. To make sure of this, you should check the IP assigned to your machine, you can do this by typing this in a terminal: 'ifconfig' (you may nedd to use sudo). If the assigned IP is something like 192.168.XX.XX or 10.XX.XX.XX then you are connected through a router/nat/proxy. In that case there's nothing you can do to block pings from the Internet, and you don't need to worry about them because you are protected by your mobile isp router.
arro, you were right i have just done sudo ifconfig and it has come back with 192.168.XX.XX range IP.
Many thanks for your help.
Thanks
Crunchman
Running Crunchbang 10 Statler R20120207 backport on a Compaq Mini 702EA Netbook
Offline
best way to disable ping response is to add the instruction into /etc/sysctl.conf, as so:
net.ipv4.conf.icmp_echo_ignore_all = 1this will disable ping responses from your machine but not from any networking hardware between your machine and the internet. those settings have to be configured on the hardware itself. so you'd want to ping your device IP on the LAN (e.g. 192.168.1.105) and not your external-facing IP to verify that this is working.
g'luck!
nathwill, thanks for this i will check this out when i get home and connect to my local LAN.
Thanks
Crunchman
Running Crunchbang 10 Statler R20120207 backport on a Compaq Mini 702EA Netbook
Offline
Copyright © 2012 CrunchBang Linux.
Proudly powered by Debian. Hosted by Linode.
Debian is a registered trademark of Software in the Public Interest, Inc.