I am playing with my hack Ubuntu machine, and I am sorting out security. I want to disable ping. This is a laptop, and I want to document the application of aluminium foil. The standard ping disabler is the following line... # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all This works fine on my Fedora laptop. On Ubuntu, I get... $ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all -bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied The file exists. I can print it with "cat" (it prints "0". Why can I not change it? -- Howard Gibson hgibson@eol.ca jhowardgibson@gmail.com http://home.eol.ca/~hgibson
On 29/08/18 21:44, Howard Gibson via talk wrote:
I am playing with my hack Ubuntu machine, and I am sorting out security. I want to disable ping. This is a laptop, and I want to document the application of aluminium foil.
The standard ping disabler is the following line...
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This works fine on my Fedora laptop. On Ubuntu, I get...
The # makes me think you are root on the Fedora laptop.
$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all -bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied
That's expected with a sudo echo > redirect invocation. The shell is doing redirection. sudo is invoking echo, the output of which is being redirected in your normal user's shell to a file that you do not have permission to write to. Try this if you want to go the sudo route: echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all That way tee is invoked with elevated privileges and writes its output to the file. Or you can become root like on your Fedora system and use echo 1 >... Cheers, Jamon
On 08/29/2018 09:54 PM, Jamon Camisso via talk wrote:
On 29/08/18 21:44, Howard Gibson via talk wrote:
I am playing with my hack Ubuntu machine, and I am sorting out security. I want to disable ping. This is a laptop, and I want to document the application of aluminium foil.
The standard ping disabler is the following line...
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This works fine on my Fedora laptop. On Ubuntu, I get...
The # makes me think you are root on the Fedora laptop.
$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all -bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied That's expected with a sudo echo > redirect invocation. The shell is doing redirection. sudo is invoking echo, the output of which is being redirected in your normal user's shell to a file that you do not have permission to write to.
Try this if you want to go the sudo route:
echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all
That way tee is invoked with elevated privileges and writes its output to the file.
Or you can become root like on your Fedora system and use echo 1 >...
you could also do the following: sudo sysctl net.ipv4.icmp_echo_ignore_all=1 -- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On Wed, 29 Aug 2018 22:03:52 -0400 Alvin Starr via talk <talk@gtalug.org> wrote:
you could also do the following:
sudo sysctl net.ipv4.icmp_echo_ignore_all=1
Alvin, That's it. I saw instructions on the internet to update /etc/sysctl.conf, but they did it wrong. Your command line works! Thank you. I will be updating my website to show easy install methods for Ubuntu and Fedora. -- Howard Gibson hgibson@eol.ca jhowardgibson@gmail.com http://home.eol.ca/~hgibson
On Wed, Aug 29, 2018 at 10:58 PM, Howard Gibson via talk <talk@gtalug.org> wrote:
On Wed, 29 Aug 2018 22:03:52 -0400 Alvin Starr via talk <talk@gtalug.org> wrote:
you could also do the following:
sudo sysctl net.ipv4.icmp_echo_ignore_all=1
Alvin,
That's it. I saw instructions on the internet to update /etc/sysctl.conf, but they did it wrong. Your command line works!
Thank you.
I will be updating my website to show easy install methods for Ubuntu and Fedora.
Greetings I have ping disabled directly on my router so none of the machines behind it can be accessed from outside. Why wouldn't you do it there? A possible answer is that you are using the laptop truly mobile but that would be the only need for such a mod imo. For those that 'know' is there any other scenario where you might want to disable ping access on a machine basis? Regards Dee
On 08/30/2018 06:11 AM, o1bigtenor via talk wrote:
On Wed, Aug 29, 2018 at 10:58 PM, Howard Gibson via talk <talk@gtalug.org> wrote:
On Wed, 29 Aug 2018 22:03:52 -0400 Alvin Starr via talk <talk@gtalug.org> wrote:
you could also do the following:
sudo sysctl net.ipv4.icmp_echo_ignore_all=1 Alvin,
That's it. I saw instructions on the internet to update /etc/sysctl.conf, but they did it wrong. Your command line works!
Thank you.
I will be updating my website to show easy install methods for Ubuntu and Fedora.
Greetings
I have ping disabled directly on my router so none of the machines behind it can be accessed from outside.
Why wouldn't you do it there?
A possible answer is that you are using the laptop truly mobile but that would be the only need for such a mod imo. For those that 'know' is there any other scenario where you might want to disable ping access on a machine basis?
Regards
I am not a big fan of disabling pings. When ping is disabled it makes it extremity hard to diagnose network problems. I operated an ISP and it would be very hard to diagnose network problems on systems with ping disabled. There are other tools but most of them require software on both systems where ping is simple and easy to setup It is possible to limit ping both in size and frequency. Disabling ping is of very limited value to stop hackers because port scanning software will just try the well known ports and will find you if you have the ports open. Incoming ping floods will still suck up all your incoming bandwidth even if you have pings disabled. Also ping floods have fallen out of vogue as a DOS attack vector. -- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On Thu, Aug 30, 2018 at 7:48 AM, James Knott via talk <talk@gtalug.org> wrote:
On 08/30/2018 06:11 AM, o1bigtenor via talk wrote:
I have ping disabled directly on my router so none of the machines
My router software asks me if I want to allow or disallow pings from the www. I have that box marked 'disallow'. Regards Dee
| From: James Knott via talk <talk@gtalug.org> | On 08/30/2018 06:11 AM, o1bigtenor via talk wrote: | > I have ping disabled directly on my router so none of the machines | > behind it can be accessed from outside. | | How does disabling ping on a router prevent access to what's behind it? | Ping has nothing to do with routing. 1) OP's question was asking about a solution without stating a real problem that needed solving. (See 2). 2) almost everyone's LAN is behind NAT so pings from the outside world cannot even address LAN nodes. In other words, no problem exists. 3) obligtenor might have: a) assumed the only place pings could be a problem would be on the router itself (because it alone has a globally routable address) and so addressed that problem b) assumed that since the router is a gateway, it can filter pings destined for LAN. If you hook up the notebook to a hostile LAN or WAN, then the solutions are different. But I think that pings are the least of your worries. I guess your notebook could be an unwitting accomplice of a DDOS attack. Many people do think that depending solely on a firewall for network security is a bad model. "Crunchy on the outside, soft on the inside." Every node should be hardened. But what are you going to do to harden you IoT devices (light bulbs, fridges, settop boxes, thermostats, watches, ....)?
On 08/30/2018 11:31 AM, D. Hugh Redelmeier via talk wrote:
| From: James Knott via talk <talk@gtalug.org>
| On 08/30/2018 06:11 AM, o1bigtenor via talk wrote: | > I have ping disabled directly on my router so none of the machines | > behind it can be accessed from outside. | | How does disabling ping on a router prevent access to what's behind it? | Ping has nothing to do with routing.
1) OP's question was asking about a solution without stating a real problem that needed solving. (See 2).
People often do that and wind up creating problems trying to fix the one that doesn't exist.
2) almost everyone's LAN is behind NAT so pings from the outside world cannot even address LAN nodes. In other words, no problem exists. Not anymore. In fact there have long been LANs that aren't behind NAT. Any network that has a lot of public servers would be one example. Also, back in the late 90s, when I was at IBM, on Steeles, the entire LAN had public addresses (mine was 9.29.146.147), as those networks were set up before NAT became necessary to get around the IPv4 address shortage.
Also, IPv6 is now being used by many and NAT is discouraged on it. This means that, for example, Rogers customers will have public IPv6 addresses. However, given that they have a minimum of 18.4 billion, billion addresses to choose from, they're a bit harder to find.
Many people do think that depending solely on a firewall for network security is a bad model. "Crunchy on the outside, soft on the inside." Every node should be hardened. But what are you going to do to harden you IoT devices (light bulbs, fridges, settop boxes, thermostats, watches, ....)?
Also, relying on NAT for security is a bad idea. It does nothing that a properly configured firewall can't do.
On Thu, 30 Aug 2018 11:46:42 -0400 James Knott via talk <talk@gtalug.org> wrote:
Also, IPv6 is now being used by many and NAT is discouraged on it. This means that, for example, Rogers customers will have public IPv6 addresses. However, given that they have a minimum of 18.4 billion, billion addresses to choose from, they're a bit harder to find.
Many people do think that depending solely on a firewall for network security is a bad model. "Crunchy on the outside, soft on the inside." Every node should be hardened. But what are you going to do to harden you IoT devices (light bulbs, fridges, settop boxes, thermostats, watches, ....)?
Also, relying on NAT for security is a bad idea. It does nothing that a properly configured firewall can't do.
James, My regular laptop is a home computer that sits behind a commerical router most (not all) of the time. My Ubuntu machine is a generic computer that could be taken to a coffee shop or more likely a bar, or it may be plugged directly into a DSL or cable modem. I am writing up my instructions on the assumption that the person following them is not a computer expert. -- Howard Gibson hgibson@eol.ca jhowardgibson@gmail.com http://home.eol.ca/~hgibson
On 08/30/2018 12:04 PM, Howard Gibson wrote:
Also, relying on NAT for security is a bad idea. It does nothing that a properly configured firewall can't do. James,
My regular laptop is a home computer that sits behind a commerical router most (not all) of the time. My Ubuntu machine is a generic computer that could be taken to a coffee shop or more likely a bar, or it may be plugged directly into a DSL or cable modem. I am writing up my instructions on the assumption that the person following them is not a computer expert.
How much security do you think you'll get in that coffee shop? I also have a notebook computer that has a firewall running, even when on my home network, behind a firewall. Disabling ping provides nothing more than a false sense of security. Getting back to the physical example, it amounts to nothing more than removing the house numbers from your home. The house is still there and can be found by other means.
On Thu, 30 Aug 2018 12:10:08 -0400 James Knott via talk <talk@gtalug.org> wrote:
How much security do you think you'll get in that coffee shop? I also have a notebook computer that has a firewall running, even when on my home network, behind a firewall.
James, I expect no security at a coffee shop. This is not a case of disable ping OR run the firewall. I am running the firewall. All the ports I can close are closed. -- Howard Gibson hgibson@eol.ca jhowardgibson@gmail.com http://home.eol.ca/~hgibson
On Wed, Aug 29, 2018 at 09:54:15PM -0400, Jamon Camisso via talk wrote:
On 29/08/18 21:44, Howard Gibson via talk wrote:
$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all -bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied
'echo' is run as root, but '/proc/sys/net/ipv4/icmp_echo_ignore_all' is written to as normal user. Try sudo sh -c 'echo 1 > ...'
echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all
I could've used this 'tee' solution today! -- William Park <opengeometry@yahoo.ca>
On Wed, 29 Aug 2018 21:54:15 -0400 Jamon Camisso via talk <talk@gtalug.org> wrote:
On 29/08/18 21:44, Howard Gibson via talk wrote:
I am playing with my hack Ubuntu machine, and I am sorting out security. I want to disable ping. This is a laptop, and I want to document the application of aluminium foil.
The standard ping disabler is the following line...
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
This works fine on my Fedora laptop. On Ubuntu, I get...
The # makes me think you are root on the Fedora laptop.
Yes, I have a Fedora laptop, and that is how I disable ping.
$ sudo echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all -bash: /proc/sys/net/ipv4/icmp_echo_ignore_all: Permission denied
That's expected with a sudo echo > redirect invocation. The shell is doing redirection. sudo is invoking echo, the output of which is being redirected in your normal user's shell to a file that you do not have permission to write to.
Try this if you want to go the sudo route:
echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all
It works! Thank you. Now all I have to do is stick it in a boot script. -- Howard Gibson hgibson@eol.ca jhowardgibson@gmail.com http://home.eol.ca/~hgibson
On 29/08/18 23:23, Howard Gibson wrote:
Try this if you want to go the sudo route:
echo 1 |sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all
It works!
Thank you.
Now all I have to do is stick it in a boot script.
As Alvin Starr pointed out, if you want this to persist, the best way would be via sysctl. Try putting 'net.ipv4.icmp_echo_ignore_all=1' in a file in /etc/sysctl.d, or in /etc/sysctl.conf itself. Cheers, Jamon
On 29/08/18 21:44, Howard Gibson via talk wrote:
I am playing with my hack Ubuntu machine, and I am sorting out security. I want to disable ping. This is a laptop, and I want to document the application of aluminium foil.
Could you elaborate a bit about how disabling ICMP enhances security of this system? I'm curious what kind of information you're trying to control with it off. Cheers, Jamon
Jamon, I am assuming that someone will use ping to search a network for interesting stuff. If the IP address does not respond to ping, the cracker will keep searching. All the other ports are closed too. The security is not perfect, but I am hoping to have escalated things beyond the capabilities of some script kiddies. On Thu, 30 Aug 2018 08:20:21 -0400 Jamon Camisso via talk <talk@gtalug.org> wrote:
On 29/08/18 21:44, Howard Gibson via talk wrote:
I am playing with my hack Ubuntu machine, and I am sorting out security. I want to disable ping. This is a laptop, and I want to document the application of aluminium foil.
Could you elaborate a bit about how disabling ICMP enhances security of this system? I'm curious what kind of information you're trying to control with it off.
Cheers, Jamon --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
-- Howard Gibson hgibson@eol.ca jhowardgibson@gmail.com http://home.eol.ca/~hgibson
On 08/30/2018 11:00 AM, Howard Gibson via talk wrote:
Jamon,
I am assuming that someone will use ping to search a network for interesting stuff. If the IP address does not respond to ping, the cracker will keep searching. All the other ports are closed too. The security is not perfect, but I am hoping to have escalated things beyond the capabilities of some script kiddies. Closing the ports is sufficient.
I know someone is at 1234 Bloor St. but that does not help much with breaking in. I still need a way to get past the front door.
On Thu, 30 Aug 2018 08:20:21 -0400 Jamon Camisso via talk <talk@gtalug.org> wrote:
On 29/08/18 21:44, Howard Gibson via talk wrote:
I am playing with my hack Ubuntu machine, and I am sorting out security. I want to disable ping. This is a laptop, and I want to document the application of aluminium foil.
Could you elaborate a bit about how disabling ICMP enhances security of this system? I'm curious what kind of information you're trying to control with it off.
Cheers, Jamon --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
-- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
You don't need to disable ping on your internal network, only at the router. Because of NAT, nobody can really ping your internal system. Try this. Keep ping enabled on your Linux, and in your router, run this on Linux: sudo tcpdump -i any icmp Now go to any "online ping service" and ping your address. I will not spoil the result for you. On Thu, Aug 30, 2018, 12:17 Alvin Starr via talk <talk@gtalug.org> wrote:
On 08/30/2018 11:00 AM, Howard Gibson via talk wrote:
Jamon,
I am assuming that someone will use ping to search a network for interesting stuff. If the IP address does not respond to ping, the cracker will keep searching. All the other ports are closed too. The security is not perfect, but I am hoping to have escalated things beyond the capabilities of some script kiddies. Closing the ports is sufficient.
I know someone is at 1234 Bloor St. but that does not help much with breaking in. I still need a way to get past the front door.
On Thu, 30 Aug 2018 08:20:21 -0400 Jamon Camisso via talk <talk@gtalug.org> wrote:
On 29/08/18 21:44, Howard Gibson via talk wrote:
I am playing with my hack Ubuntu machine, and I am sorting out security. I want to disable ping. This is a laptop, and I want to document the application of aluminium foil.
Could you elaborate a bit about how disabling ICMP enhances security of this system? I'm curious what kind of information you're trying to control with it off.
Cheers, Jamon --- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
-- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
--- Talk Mailing List talk@gtalug.org https://gtalug.org/mailman/listinfo/talk
On 08/30/2018 11:24 AM, Mauro Souza via talk wrote:
Because of NAT, nobody can really ping your internal system.
There are many networks that do not use NAT. In fact, it's rarely used on IPv6. Regardless, there are other ways of finding a router or computer that do not use ping. Blocking ping provides a false sense of security.
On Thu, 30 Aug 2018 12:24:31 -0300 Mauro Souza via talk <talk@gtalug.org> wrote:
You don't need to disable ping on your internal network, only at the router. Because of NAT, nobody can really ping your internal system.
Try this. Keep ping enabled on your Linux, and in your router, run this on Linux:
sudo tcpdump -i any icmp
Now go to any "online ping service" and ping your address. I will not spoil the result for you.
Mauro, I go to http://www.grc.com (Steve Gibson is not a relation as far as I can tell) and I run their True Stealth analysis. My first 1056 ports are closed, but it responds to ping. This is my router. My desktop behind the router is not particularly well locked down. Yes, tcpdump has an interesting output. -- Howard Gibson hgibson@eol.ca jhowardgibson@gmail.com http://home.eol.ca/~hgibson
On 08/30/2018 11:43 AM, Howard Gibson via talk wrote:
My first 1056 ports are closed, but it responds to ping. This is my router. My desktop behind the router is not particularly well locked down.
Those would be TCP ports. I'm not sure they even test UDP. Ping is ICMP, which doesn't even have port numbers and so wouldn't be found in any port scan.
On Thu, 30 Aug 2018 at 11:17, Alvin Starr via talk <talk@gtalug.org> wrote:
I know someone is at 1234 Bloor St. but that does not help much with breaking in.
But what if you *don't* know someone lives at 1234 Bloor St. (and most of the residences on Bloor St. are vacant)? Breaking into one that's vacant (equivalent to blindly attacking a non-existent machine) is a worthless waste of time. If you knock on one of the doors (ping), you may get an answer, telling you that breaking into that residence at a later time may be of some value, thus worth more effort. I'm not saying that ignoring pings is of much benefit, but this is a better analogy. -- Scott
On 08/30/2018 11:45 AM, Scott Allen via talk wrote:
But what if you *don't* know someone lives at 1234 Bloor St. (and most of the residences on Bloor St. are vacant)?
That doesn't stop many burglars or squatters.
If you knock on one of the doors (ping), you may get an answer, telling you that breaking into that residence at a later time may be of some value, thus worth more effort.
There are other ways to determine if there's a computer or router there. For example traceroute will simply time out if the device doesn't respond, but there is a route to it. If there is no route to it, you get a different error message. That difference will tell you whether there's likely something at that address.
On 08/30/2018 11:56 AM, James Knott via talk wrote:
On 08/30/2018 11:45 AM, Scott Allen via talk wrote:
But what if you *don't* know someone lives at 1234 Bloor St. (and most of the residences on Bloor St. are vacant)? That doesn't stop many burglars or squatters.
If you knock on one of the doors (ping), you may get an answer, telling you that breaking into that residence at a later time may be of some value, thus worth more effort. There are other ways to determine if there's a computer or router there. For example traceroute will simply time out if the device doesn't respond, but there is a route to it. If there is no route to it, you get a different error message. That difference will tell you whether there's likely something at that address.
There are other ICMP messages that can be used for probing like timestamp(msg-13). All around all disabling ping does for you is to make it harder for your ISP or IT support people to see if you are having network problems and the really really stupid script kiddies trying to probe you. -- Alvin Starr || land: (905)513-7688 Netvel Inc. || Cell: (416)806-0133 alvin@netvel.net ||
On 08/30/2018 12:04 PM, Alvin Starr via talk wrote:
There are other ICMP messages that can be used for probing like timestamp(msg-13). All around all disabling ping does for you is to make it harder for your ISP or IT support people to see if you are having network problems and the really really stupid script kiddies trying to probe you.
There are some who advocate blocking ICMP entirely. As mentioned, it can cause problems for legitimate testing and, on IPv6, cause failures.
On 2018-08-30 12:12 p.m., James Knott via talk wrote:
On 08/30/2018 12:04 PM, Alvin Starr via talk wrote:
There are other ICMP messages that can be used for probing like timestamp(msg-13). All around all disabling ping does for you is to make it harder for your ISP or IT support people to see if you are having network problems and the really really stupid script kiddies trying to probe you. There are some who advocate blocking ICMP entirely. As mentioned, it can cause problems for legitimate testing and, on IPv6, cause failures.
At one time, a maliciously crafted packet could be used to do buffer-overflow attacks. It hit Windows most recently, and many sites turned off ICMP. This merely made it harder, and the script kiddies promptly came up with new variants. To this day, Windows sites often turn off ICMP, thinking the problem was with ping. --dave -- David Collier-Brown, | Always do right. This will gratify System Programmer and Author | some people and astonish the rest davecb@spamcop.net | -- Mark Twain
On Thu, 30 Aug 2018 12:04:34 -0400 Alvin Starr via talk <talk@gtalug.org> wrote:
There are other ICMP messages that can be used for probing like timestamp(msg-13). All around all disabling ping does for you is to make it harder for your ISP or IT support people to see if you are having network problems and the really really stupid script kiddies trying to probe you.
Alvin, I am my ISP and IT support person. My Fedora laptop cannot be remotely administered. I am inconvenienced by this. If I want to do something with it, I have to get up and walk to where I have it stored. From the laptop, I can administer my desktop, because I have ssh set up. My desktop stays behind my firewall. My laptop gets exposed. I have been on a commercial site where the Windows laptops were administered remotely, from somewhere in the USA, I think. I don't know how secure they were. The company did not have particularly nasty security requirements, i.e. they were not managing people's personal data, or military secrets. -- Howard Gibson hgibson@eol.ca jhowardgibson@gmail.com http://home.eol.ca/~hgibson
On 08/30/2018 12:13 PM, Howard Gibson via talk wrote:
I have been on a commercial site where the Windows laptops were administered remotely, from somewhere in the USA, I think. I don't know how secure they were. The company did not have particularly nasty security requirements, i.e. they were not managing people's personal data, or military secrets.
I have remotely administered computers for an IBM customer over Citrix. The customer, a major U.S. telecom, was very security conscious.
On Thu, 30 Aug 2018 at 11:57, James Knott via talk <talk@gtalug.org> wrote:
For example traceroute will simply time out if the device doesn't respond, but there is a route to it.
For a device that doesn't respond, traceroute only tells you that you can get to the network that the device is on (you can determine that Bloor St. exists). There could be many addresses on that network (especially for IPV6), many of which may be vacant. But again, I was only trying to give a better analogy, not defend ignoring pings. -- Scott
On 08/30/2018 11:00 AM, Howard Gibson via talk wrote:
I am assuming that someone will use ping to search a network for interesting stuff. If the IP address does not respond to ping, the cracker will keep searching.
What happens if they ping an address behind the router. There are many networks that don't use NAT, so other devices will also have a reachable address. In fact, on IPv6, NAT is generally not used.
participants (10)
-
Alvin Starr -
D. Hugh Redelmeier -
David Collier-Brown -
Howard Gibson -
James Knott -
Jamon Camisso -
Mauro Souza -
o1bigtenor -
Scott Allen -
William Park