The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can I block ping with the APF firewall?

Discussion in 'General Discussion' started by BianchiDude, Dec 13, 2007.

  1. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    How can I block ping with the APF firewall?
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    You need to disable your server to respond to ICMP requests. Although "ping" uses TCP/IP Port, the Protocol is ICMP and NOT TCP/UDP, which is a network "control" protocol.

    You have several options:

    vi /etc/sysctl.conf
    and add this directive:

    Code:
    net.ipv4.icmp_echo_ignore_all = 1
    Save, close and restart iptables.

    Now, you won't be able to ping external interfaces.

    If you wish to block ping echo reply or requests, you can use this rule with IPtables:

    iptables -A INPUT -p icmp --icmp-type 8 -s SourceIPAddress -j DROP

    OR

    iptables -A INPUT -p icmp --icmp-type echo-request -j DROP to block incomming pings

    OR

    iptables -A OUTPUT -p icmp -o eth0 -j DROP


    echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all

    which will drop all echo reply. Overall, you need to be very careful as ping is needed by different services/networks. Use at your own risk.
     
  3. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,482
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Blocking ping is probably a Bad Thing (tm); why did you want to do that?
     
  5. BianchiDude

    BianchiDude Well-Known Member
    PartnerNOC

    Joined:
    Jul 2, 2005
    Messages:
    619
    Likes Received:
    0
    Trophy Points:
    16
    Security, you cant hack a server that you cant find, LOL
     
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    You actually believe they won't find if it's not pingable? :rolleyes: lol. Good idea, but in the meantime you'll frustrate people trying to troubleshoot as well as break many small things.

    Instead, I'd install CSF and mod_security and set them up, change your ssh port, and then go get a server hardening package.
     
  7. Murtaza_t

    Murtaza_t Well-Known Member

    Joined:
    Jan 24, 2005
    Messages:
    476
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Earth
    cPanel Access Level:
    Website Owner
    I don't think disabling ping on the server is a bad idea. I am not sure of any networking tool that uses only ping to identify the server being up/down. At the current point most of them uses telnet I suppose.

    Yes, there is an disadvantage of clients complaining their site being down just because they cannot ping it.:D
     
    #7 Murtaza_t, Dec 17, 2007
    Last edited: Dec 19, 2007
Loading...

Share This Page