[olug] RH9 firewall security question

Vincent.Raffensberger at dtn.com Vincent.Raffensberger at dtn.com
Sun Feb 1 06:08:50 UTC 2004 

As long as you know about it, having icmp disabled shouldn't interfere 
with network troubleshooting.  Depending on what the system's function is, 
it may cause other (client app/ customer) problems.
When the circumstances are right, it can be useful.  Personally, I 
wouldn't do it without a need.

Regarding security justifications, it's probably very debatable.  You can 
easily judge the worth of it by counting the number of unique addresses 
you have blocked in the past seven days, disable icmp for seven days, and 
then count them again.

I have an ftp server which is accessed transparently through a client 
application.  I was getting several break in attempts each day.  Just the 
usual "try every username you can think of" type of thing.  I became 
annoyed by them filling up the log files. 
I dropped icmp on the external interface and within a few days the 
activity stopped.  Since then, I only see one attempt each month (at most) 
and clients are un affected.  In that case it was well worth it.

YMMV.






"Tim - DZ" <iceburn at dangerzone.com> 
Sent by: olug-bounces at olug.org
01/31/2004 07:51 PM
Please respond to
Omaha Linux User Group <olug at olug.org>


To
"'Omaha Linux User Group'" <olug at olug.org>
cc

Subject
RE: [olug] RH9 firewall security question






IMO blocking ping is not worth it, whenever something breaks network wise
the first step is to ping the effected box, if ping is "turned off" then 
the
first step will have to be to turn it back on.

Allowing ping should not be a security concern...though it may create
increased traffic (as Vincent points out)...

-t 

-----Original Message-----
From: olug-bounces at olug.org [mailto:olug-bounces at olug.org] On Behalf Of
Vincent.Raffensberger at dtn.com
Sent: Saturday, January 31, 2004 6:29 PM
To: Omaha Linux User Group
Subject: Re: [olug] RH9 firewall security question

By blocking or disabling ping responses from your system you will see 
substantially fewer port scans and probes.  It's probably worth the 
inconvenience it may sometimes cause.
You can do it in the kernel or via iptables.

To disable icmp responses via the kernel add this to /etc/sysctl.conf
net.ipv4.icmp_echo_ignore_all = 1

You could additionally add these:
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_redirects = 0

An iptables rule to drop icmp for your external interface only would look 
like this:
iptables -A INPUT -i eth0 -p icmp -j drop






Francis Geiger <hmcsret at cox.net> 
Sent by: olug-bounces at olug.org
01/31/2004 05:04 PM
Please respond to
Omaha Linux User Group <olug at olug.org>


To
Omaha linux user group email <olug at olug.org>
cc

Subject
[olug] RH9 firewall security question






I have been reading about Linux security issues in Linux Journal. I have
my RH9 firewall set at high.  I used grc.com web site to check my
firewall and it reported my ports as closed or in stealth mode. The web
site did say the TruStealth: Not all tested ports were stealth, No
unsolicited packets were received, A ping reply ICMP Echo was received.
Should I be concerned about the ping reply?  If so what can I do about
it. I have been looking at the documentation and I are getting very
confused.  Thanks in advance for any help  Grant
-- 
Francis Geiger <hmcsret at cox.net>

_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug

_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug

_______________________________________________
OLUG mailing list
OLUG at olug.org
http://lists.olug.org/mailman/listinfo/olug

More information about the OLUG mailing list