How can make my server unpingable on the internal and external interfaces?
Some organization's security protocols require ICMP echo replies be disabled.
Resolving the problem
The ping command sends ICMP echo request and receives ICMP echo reply packets. This command is the quickest way to determine if a computer is connected and responding on a network. In some cases you may desire to disable echo reply packets. Run the following command to disable echo reply packets.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This setting is not permanent and will need to be run after each reboot.
To re-enable ICMP ping replies run the following command.
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
There is no inherent danger in being ping-able, and there is no inherent security in not being ping-able. There are myriad other ways to tell if a host is listening on a given address. An ICMP ping just happens to be a very convenient way to do it. It is one of the first things everyone checks when they are experiencing connectivity problems. Disabling this just makes the troubleshooting process more difficult. It is highly unlikely that ping has anything to do with possible intrusions.
|Organizational Productivity- Portals & Collaboration||Lotus Foundations Branch Office||General||Linux||1.1|
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.