[SOLVED]how do i stop my netbook responding to ping request

crunchman · 2010-12-25 09:47:51

Hi, can some please tell me how i can stop my netbook from showing up on ping requests.
I have Gufw installed and it is enabled.

But when i use shields up web site it tells me that my system replied to Ping (ICMP Echo) requests.
But all my ports are showing as steath.
Does this mean that i can get hacked.

Last edited by crunchman (2010-12-27 07:11:01)

Roy · 2010-12-25 11:50:57

By default Gufw allows any incoming ICMP packages, however there is no proper reason for denying ICMP packages. There are numerous other methods for checking if an host is up or not, so denying ICMP for security reason is an bit deprecated.

Also because ICMP is an total different protocol than TCP/IP (ssh,telnet,http,ftp), it is impossible to hack any computer using just ICMP packages.

If you're still determent to deny an incoming ICMP packages, you have to change the following lines from the file: /etc/ufw/before.rule

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

into

-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

aaro · 2010-12-25 14:11:03

Before anything else, are you using a router to connect to Internet? If so, you would need to configure the firewall at the router and any config at your netbook won't have any effect on the test you are using. If you do connect directly to the Internet with your netbook (which is uncommon) then you would need to edit the file '/etc/ufw/before.rules' and comment the ping request part:

# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

crunchman · 2010-12-26 09:33:29

Roy wrote:

By default Gufw allows any incoming ICMP packages, however there is no proper reason for denying ICMP packages. There are numerous other methods for checking if an host is up or not, so denying ICMP for security reason is an bit deprecated.
Also because ICMP is an total different protocol than TCP/IP (ssh,telnet,http,ftp), it is impossible to hack any computer using just ICMP packages.
If you're still determent to deny an incoming ICMP packages, you have to change the following lines from the file: /etc/ufw/before.rule
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
into
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Roy thanks for the info.

Tunafish · 2010-12-26 11:21:10

I've had good results with arno's iptables firewall... (it's in the debian repo as well)...
Maybe you can give it a try...

Tuna

Awebb · 2010-12-26 11:23:14

Tunafish wrote:

I've had good results with arno's iptables firewall...

And how exactly do you know those results where good?

crunchman · 2010-12-26 16:17:36

crunchman wrote:

Roy wrote:
By default Gufw allows any incoming ICMP packages, however there is no proper reason for denying ICMP packages. There are numerous other methods for checking if an host is up or not, so denying ICMP for security reason is an bit deprecated.
Also because ICMP is an total different protocol than TCP/IP (ssh,telnet,http,ftp), it is impossible to hack any computer using just ICMP packages.
If you're still determent to deny an incoming ICMP packages, you have to change the following lines from the file: /etc/ufw/before.rule
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
into
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Roy thanks for the info.
Ok Done that and still have the same problem

crunchman · 2010-12-26 16:20:26

Roy wrote:

By default Gufw allows any incoming ICMP packages, however there is no proper reason for denying ICMP packages. There are numerous other methods for checking if an host is up or not, so denying ICMP for security reason is an bit deprecated.
Also because ICMP is an total different protocol than TCP/IP (ssh,telnet,http,ftp), it is impossible to hack any computer using just ICMP packages.
If you're still determent to deny an incoming ICMP packages, you have to change the following lines from the file: /etc/ufw/before.rule
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
into
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
I use moblie broadband when im away that is what im using at the moment.I have done what you have said, but still have the same problem

crunchman · 2010-12-26 16:25:14

aaro wrote:

Before anything else, are you using a router to connect to Internet? If so, you would need to configure the firewall at the router and any config at your netbook won't have any effect on the test you are using. If you do connect directly to the Internet with your netbook (which is uncommon) then you would need to edit the file '/etc/ufw/before.rules' and comment the ping request part:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

aaro, im using mobile broadband and have done this but have had no luck/quote

crunchman · 2010-12-26 16:27:34

Tunafish wrote:

I've had good results with arno's iptables firewall... (it's in the debian repo as well)...
Maybe you can give it a try...
Tuna

I will look into this thanks

aaro · 2010-12-26 18:50:34

crunchman wrote:

aaro wrote:
Before anything else, are you using a router to connect to Internet? If so, you would need to configure the firewall at the router and any config at your netbook won't have any effect on the test you are using. If you do connect directly to the Internet with your netbook (which is uncommon) then you would need to edit the file '/etc/ufw/before.rules' and comment the ping request part:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
aaro, im using mobile broadband and have done this but have had no luck/quote

I think mobile broadband doesn't give you a direct connection to Internet, instead they connect you to an internal network and go through a /nat/router/proxy. To make sure of this, you should check the IP assigned to your machine, you can do this by typing this in a terminal: 'ifconfig' (you may nedd to use sudo). If the assigned IP is something like 192.168.XX.XX or 10.XX.XX.XX then you are connected through a router/nat/proxy. In that case there's nothing you can do to block pings from the Internet, and you don't need to worry about them because you are protected by your mobile isp router.

nathwill · 2010-12-26 19:27:06

best way to disable ping response is to add the instruction into /etc/sysctl.conf, as so:

net.ipv4.conf.icmp_echo_ignore_all = 1

this will disable ping responses from your machine but not from any networking hardware between your machine and the internet. those settings have to be configured on the hardware itself. so you'd want to ping your device IP on the LAN (e.g. 192.168.1.105) and not your external-facing IP to verify that this is working.

g'luck!

crunchman · 2010-12-27 07:18:58

aaro wrote:

crunchman wrote:
aaro wrote:
Before anything else, are you using a router to connect to Internet? If so, you would need to configure the firewall at the router and any config at your netbook won't have any effect on the test you are using. If you do connect directly to the Internet with your netbook (which is uncommon) then you would need to edit the file '/etc/ufw/before.rules' and comment the ping request part:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
# Don't allow ping requests:
# -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
aaro, im using mobile broadband and have done this but have had no luck/quote
I think mobile broadband doesn't give you a direct connection to Internet, instead they connect you to an internal network and go through a /nat/router/proxy. To make sure of this, you should check the IP assigned to your machine, you can do this by typing this in a terminal: 'ifconfig' (you may nedd to use sudo). If the assigned IP is something like 192.168.XX.XX or 10.XX.XX.XX then you are connected through a router/nat/proxy. In that case there's nothing you can do to block pings from the Internet, and you don't need to worry about them because you are protected by your mobile isp router.

arro, you were right i have just done sudo ifconfig and it has come back with 192.168.XX.XX range IP.
Many thanks for your help.

crunchman · 2010-12-27 07:25:04

nathwill wrote:

best way to disable ping response is to add the instruction into /etc/sysctl.conf, as so:
net.ipv4.conf.icmp_echo_ignore_all = 1
this will disable ping responses from your machine but not from any networking hardware between your machine and the internet. those settings have to be configured on the hardware itself. so you'd want to ping your device IP on the LAN (e.g. 192.168.1.105) and not your external-facing IP to verify that this is working.
g'luck!

nathwill, thanks for this i will check this out when i get home and connect to my local LAN.

nathwill · 2010-12-29 03:35:23

i'm sorry, correction. the value is: net.ipv4.icmp_echo_ignore_all = 1 , skip the conf bit...

CrunchBang Linux

SEARCH

#1 2010-12-25 09:47:51

[SOLVED]how do i stop my netbook responding to ping request

#2 2010-12-25 11:50:57

Re: [SOLVED]how do i stop my netbook responding to ping request

#3 2010-12-25 14:11:03

Re: [SOLVED]how do i stop my netbook responding to ping request

#4 2010-12-26 09:33:29

Re: [SOLVED]how do i stop my netbook responding to ping request

#5 2010-12-26 11:21:10

Re: [SOLVED]how do i stop my netbook responding to ping request

#6 2010-12-26 11:23:14

Re: [SOLVED]how do i stop my netbook responding to ping request

#7 2010-12-26 16:17:36

Re: [SOLVED]how do i stop my netbook responding to ping request

#8 2010-12-26 16:20:26

Re: [SOLVED]how do i stop my netbook responding to ping request

#9 2010-12-26 16:25:14

Re: [SOLVED]how do i stop my netbook responding to ping request

#10 2010-12-26 16:27:34

Re: [SOLVED]how do i stop my netbook responding to ping request

#11 2010-12-26 18:50:34

Re: [SOLVED]how do i stop my netbook responding to ping request

#12 2010-12-26 19:27:06

Re: [SOLVED]how do i stop my netbook responding to ping request

#13 2010-12-27 07:18:58

Re: [SOLVED]how do i stop my netbook responding to ping request

#14 2010-12-27 07:25:04

Re: [SOLVED]how do i stop my netbook responding to ping request

#15 2010-12-29 03:35:23

Re: [SOLVED]how do i stop my netbook responding to ping request

Board footer