| Author |
Message |
math
Joined: 07 Mar 2010
Posts: 16
|
| Posted: Mon Mar 08, 2010 3:44 pm Post subject: icmp_echo_ignore_all does not keep new value |
|
|
Hello
I trying to blocking ICMP by
echo 1 >> /proc/sys/net/ipv4/icmp_echo_ignore_all
but after restart my container - kernel restore icmp_echo_ignore_all old value (0)
please help to fix this issue
thak you very much |
|
| Back to top |
|
Alucard
Joined: 13 Feb 2008
Posts: 116
|
| Posted: Mon Mar 08, 2010 3:58 pm Post subject: |
|
|
Code: echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
sysctl -p |
|
| Back to top |
|
vonskippy
Joined: 27 Dec 2009
Posts: 410
Location: Colorado, USA
|
| Posted: Mon Mar 08, 2010 4:07 pm Post subject: |
|
|
ICMP is a useful tool to you (helps to monitor if your server is at least partially up).
ICMP is oh so last decade for hackers. Now they do much more sophisticated scans/fingerprinting such that no PING reply isn't even on their radar.
Security thru Obscurity is a myth - since blocking ICMP does nothing to increase your security, but does increase your Admin overhead - why bother? |
|
| Back to top |
|
math
Joined: 07 Mar 2010
Posts: 16
|
| Posted: Mon Mar 08, 2010 4:17 pm Post subject: |
|
|
Alucard wrote: Code: echo "net.ipv4.icmp_echo_ignore_all = 1" >> /etc/sysctl.conf
sysctl -p
Thank very much for help and for vonskippy advice :) |
|
| Back to top |
|
Stever
Joined: 07 Dec 2007
Posts: 329
Location: NC, USA
|
| Posted: Wed Mar 10, 2010 2:00 pm Post subject: |
|
|
vonskippy wrote: ICMP is oh so last decade for hackers.
My linode has been pinged 13,231 times - it seems that there may be some hackers still living on the last decade. |
|
| Back to top |
|
vonskippy
Joined: 27 Dec 2009
Posts: 410
Location: Colorado, USA
|
| Posted: Wed Mar 10, 2010 3:31 pm Post subject: |
|
|
Stever wrote: My linode has been pinged 13,231 times
A second? A day? A month? Since you've setup your Linode?
Your statement has as much useful content as Han Solo's "making the Kessel Run in under 12 parsecs" line.
As I've mentioned, PING is used by MANY legitimate services, and no competent hacker relies on it to determine if there's a "target" out there.
But hey, turn off ping, make your life as a sysadmin much harder, what do I care. |
|
| Back to top |
|
Guspaz
Joined: 26 May 2009
Posts: 1030
Location: Montreal, QC
|
| Posted: Thu Mar 11, 2010 11:10 am Post subject: |
|
|
vonskippy wrote: Stever wrote: My linode has been pinged 13,231 times
A second? A day? A month? Since you've setup your Linode?
Your statement has as much useful content as Han Solo's "making the Kessel Run in under 12 parsecs" line.
As I've mentioned, PING is used by MANY legitimate services, and no competent hacker relies on it to determine if there's a "target" out there.
But hey, turn off ping, make your life as a sysadmin much harder, what do I care.
It has plenty of useful content; Kessel is right next to the Maw, an abnormally dense collection of black holes, requiring a circuitous winding path to be navigated to reach it. A faster ship would allow the pilot to cut closer to the gravity wells than would otherwise be possible, allowing a shorter route to be taken, or for paths that would normally be completely impossible.
It's a simple optimization problem. Making a run to Kessel in under 12 parsecs (to or from what point is not really clear) would mean that the high speed of the ship and skill of the pilot allowed a more direct route, saving time. |
|
| Back to top |
|
| |
