stop a freebsd server from responding to pinging?
Lane
lane at joeandlane.com
Thu Nov 30 11:21:27 PST 2006
On Thursday 30 November 2006 12:55, Wasp King wrote:
> 1. How do I stop others from port scanning a server?
>
> 2. is stopping the response to pinging enough?
>
> 3. how to do I stop the server from responding to
> pinging?
>
> Running FreeBSD 4.2 and 6.1.
>
> I changed the /etc/rc.network file to "NO" for
> broadcast ping responses, and this did not work (still
> responding to ping) when I rebooted:
>
>
> case ${icmp_bmcastecho} in
> [Yy][Ee][Ss])
> echo -n ' broadcast ping responses=NO'
> sysctl net.inet.icmp.bmcastecho=1
>
> >/dev/null
>
Wasp,
Check out /usr/ports/security/portsentry to reject portscan attempts. By
default it uses /etc/hosts.deny, which is deprecated. But you can configure
it to run a command ("KILL_ROUTE" in portsentry.conf) to do just about
anything you want.
My KILL_ROUTE command is a perl script that sends syslog entries
to /var/log/auth.log, which are intercepted by /usr/ports/security/sshit to
only temporarily block an offending ip using ipfw. It also sends an email
notification at the time of the attempt, so I can be sure to keep an eye on
the trouble-maker.
BTW: I think to completely block ping/traceroute you would add an ipfw rule
like:
ipfw add drop icmp from any to any in via $eternal_nic
But that may introduce complications I'm unaware of ...
lane
More information about the freebsd-questions
mailing list