stop a freebsd server from responding to pinging?
Bill Moran
wmoran at collaborativefusion.com
Thu Nov 30 11:10:45 PST 2006
In response to Wasp King <waspking2003 at yahoo.com>:
> 1. How do I stop others from port scanning a server?
Drive to their house and smash their computer.
> 2. is stopping the response to pinging enough?
No. In fact, not responding to ping is a bad idea. Disabling ping
responses violates certain RFCs and is a tactic taken by sysadmins
who should know better.
Additionally, a determined scanner won't care whether you respond to
ping or not, so it doesn't even gain you anything. nmap, probably
the most popular scanner out there, has an option to scan without
pinging, and even _recommends_ turning that on if you try to ping
and get no responses.
> 3. how to do I stop the server from responding to
> pinging?
You can always use pf or ipfw, if you _really_ want to go down that
road.
> Running FreeBSD 4.2 and 6.1.
>
> I changed the /etc/rc.network file to "NO" for
> broadcast ping responses, and this did not work (still
> responding to ping) when I rebooted:
>
>
> case ${icmp_bmcastecho} in
> [Yy][Ee][Ss])
> echo -n ' broadcast ping responses=NO'
> sysctl net.inet.icmp.bmcastecho=1
> >/dev/null
That just stops it from responding to ping requests destine for the
broadcast address, which is a topic of some debate. It will still
respond to ping requests sent directly to it.
Anyway, the question that you didn't ask is "how do I secure my system
from network attacks". The Q&D answer is:
1) only run network services that you really need
2) ensure those services are properly secured
If you do those two, who cares if you get portscanned?
--
Bill Moran
Collaborative Fusion Inc.
More information about the freebsd-questions
mailing list