Completely disable ping (LM Mate 18.3, 19)

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help
Post Reply
NML2018
Level 1
Level 1
Posts: 1
Joined: Sat Aug 25, 2018 3:53 pm

Completely disable ping (LM Mate 18.3, 19)

Post by NML2018 » Sat Aug 25, 2018 4:01 pm

Once, adding icmp_echo_ignore_all =1 to sysctl.conf would completely block ping. Now it doesn't, the same way "disabling" ipv6 in sysctl doesn't work. (Now you have to add ipv6.disable=1 to GRUB to shut it down.)

Since someone decided to cripple sysctl.conf's functionality, does anyone know how to completely disable PING in Mate 18.3/19? Can I add icmp_echo_ignore_all to GRUB?

rene
Level 8
Level 8
Posts: 2350
Joined: Sun Mar 27, 2016 6:58 pm

Re: Completely disable ping (LM Mate 18.3, 19)

Post by rene » Sun Aug 26, 2018 12:26 pm

Nothing has changed regarding this; after sudo sysctl net.ipv4.icmp_echo_ignore_all=1 my machine stops pinging, after sudo sysctl net.ipv4.icmp_echo_ignore_all=0 it resumes again (on Mint 19). Did you simply forget the net.ipv4 prefix?

Spud1200
Level 2
Level 2
Posts: 80
Joined: Thu Mar 10, 2016 10:50 pm

Re: Completely disable ping (LM Mate 18.3, 19)

Post by Spud1200 » Mon Aug 27, 2018 11:52 am

Can I ask, if I were to do this on my system as I'm running 18.3 would I enter this in to the terminal CLI or do I need to edit the file sysctl.conf .

I've entered the following command in to the terminal, and now I'm getting a line back saying this.

PING 192.168.1.xx (192.168.1.xx) 56(84) bytes of data.
Their is nothing else being displayed ..


I've entered:
sudo sysctl net.ipv4.icmp_echo_ignore_all=1

As above using the sudo command .

When I tried to edit the file sysctl.conf I added the line but was still able to ping and receive data packets.

Thanks.

User avatar
xenopeek
Level 24
Level 24
Posts: 23193
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Completely disable ping (LM Mate 18.3, 19)

Post by xenopeek » Mon Aug 27, 2018 12:20 pm

sysctl command only affects runtime. If you want to activate it by default on every boot you have to add it to your /etc/sysctl.conf file (or /etc/systctl.d/your-chosen-filename.conf). The manpages for sysctl and sysctl.conf would have answered this for you.
Image

rene
Level 8
Level 8
Posts: 2350
Joined: Sun Mar 27, 2016 6:58 pm

Re: Completely disable ping (LM Mate 18.3, 19)

Post by rene » Mon Aug 27, 2018 12:21 pm

You'd enter the specific command I gave, sudo sysctl net.ipv4.icmp_echo_ignore_all=1, from a terminal. To have it automatically executed at boot you in /etc/sysctl.conf add the line "net.ipv4.icmp_echo_ignore_all=1" -- and after doing so you can rather than reboot also simply execute sudo sysctl -p from a terminal instead.

Note though that you might want to first check if you can ping yourself from the outside in the first place: http://www.whatsmyip.org/ping/. I myself can but your ISP --- or your own modem -- may block ICMP anyway in which case you'd be defending against you yourself testing connectivity inside of your LAN. And in that sense, even if it does ping now try if you can set it to disabled in your modem.

[EDIT] Good information: https://neilalexander.eu/articles/2017/ ... nding-icmp

Spud1200
Level 2
Level 2
Posts: 80
Joined: Thu Mar 10, 2016 10:50 pm

Re: Completely disable ping (LM Mate 18.3, 19)

Post by Spud1200 » Mon Aug 27, 2018 8:00 pm

rene wrote:
Mon Aug 27, 2018 12:21 pm
You'd enter the specific command I gave, sudo sysctl net.ipv4.icmp_echo_ignore_all=1, from a terminal. To have it automatically executed at boot you in /etc/sysctl.conf add the line "net.ipv4.icmp_echo_ignore_all=1" -- and after doing so you can rather than reboot also simply execute sudo sysctl -p from a terminal instead.

Note though that you might want to first check if you can ping yourself from the outside in the first place: http://www.whatsmyip.org/ping/. I myself can but your ISP --- or your own modem -- may block ICMP anyway in which case you'd be defending against you yourself testing connectivity inside of your LAN. And in that sense, even if it does ping now try if you can set it to disabled in your modem.

[EDIT] Good information: https://neilalexander.eu/articles/2017/ ... nding-icmp
In the terminal I have added the following line after opening the file sysctl.conf :

net.ipv4.icmp_echo_ignore_all=1

In the file above sysctl.conf at the end of the file I have this:

# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#
#net.ipv4.icmp_echo_ignore_all=1


This is just the last 8 individual lines of the file it self. Do I need to add the " # " without quotation or do I simply add the line you have gave me with out the # .. Or simply enter this command above on the 7 line or 2nd last line ..

Thanks ..

rene
Level 8
Level 8
Posts: 2350
Joined: Sun Mar 27, 2016 6:58 pm

Re: Completely disable ping (LM Mate 18.3, 19)

Post by rene » Mon Aug 27, 2018 8:09 pm

You add the line without a "#" and to whichever portion of the file -- although you may indeed wish to group it with the couple of net.ipv4 sysctl's that are present in it. The "#" at the start of a line in fact signifies the line being commented out: in the default /etc/sysctl.conf all lines are commented out. man sysctl.conf documents the (simple) file format.

Spud1200
Level 2
Level 2
Posts: 80
Joined: Thu Mar 10, 2016 10:50 pm

Re: Completely disable ping (LM Mate 18.3, 19)

Post by Spud1200 » Mon Aug 27, 2018 10:39 pm

I just want to at least to an extent apologize for my stupidity as I did not read the sysctl.conf file correctly in the directory /etc/sysctl.conf .

I've been reading the file thoroughly and hence realizing that " # " is actually a hashed out command as what you would have in the likes of hashed out passwords ect: Never realised this.

Looking at the options of the pre-defined lines of script available in the sysctl.conf why would these be hashed out. If you have options to help prevent man in the middle attacks Etc: along with this for example

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

By default why would something like this be inactive. Has it got something to do with how a network would be set up so in regards to that it has to be manually configured.

I've added the line you have provided and the end of the file now looks like this .

#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_echo_ignore_all=1

The above is just the last 4 individual lines of the file. Is this correct.

Thanks for your response.

rene
Level 8
Level 8
Posts: 2350
Joined: Sun Mar 27, 2016 6:58 pm

Re: Completely disable ping (LM Mate 18.3, 19)

Post by rene » Tue Aug 28, 2018 9:22 am

Let me first note that this is all very nonmagical; the sysctl utility these days simply echoes values into files under /proc/sys. That is, reading a value with sysctl net.ipv4.icmp_echo_ignore_all is fully equivalent to a simple cat /proc/sys/net/ipv4/icmp_echo_ignore_all and setting it with (as root) sysctl net.ipv4.icmp_echo_ignore_all=1 to echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all.

This is to say that you can simply scrounge around /proc/sys to see what's available for your tweaking pleasure. Moreover, /etc/sysctl.conf is besides helpful comments no more than a list of at boot (and by sudo sysctl -p at any time) applied such tweaks. In these systemd days I should add that while /etc/sysctl.conf used to be the main or only such list, now the fragments under /etc/sysctl.d are in fact to be considered main: on our Debian-derived systems /etc/sysctl.conf is a mere link from /etc/sysctl.d/99-sysctl.conf -- but feel free to ignore that part. The point is that /etc/sysctl.conf is a very simple configuration file, and that exactly on which line you put a specific setting is technically irrelevant. And, then, that you as such really don't need me to spell things out: simply add or uncomment a value in /etc/sysctl.conf, reboot or re-apply the file with sudo sysctl -p and check current settings either manually in /proc/sys or through e.g. sysctl net.ipv4.icmp_echo_ignore_all.

This is the case as well for the "reverse path" net.ipv4.conf.default.rp_filter and net.ipv4.conf.all.rp_filter sysctl's that you mention: if you check with sysctl net.ipv4.conf.default.rp_filter net.ipv4.conf.all.rp_filter you will find the value 1 in fact already set; for it to be the default value for those. This is a fairly standard pattern on a Linux system: a commented out setting in a configuration file tends to show the default value as a matter of in-line documentation. Not always, e.g. that log_martians setting.

As to "last 4 individual lines", I on Mint 19 have two additional sections "Magic system request Key" and "Protected links" present after the "Log Martian packets" sysctl but once again then, note that where you put something is truly and deeply irrelevant. What is not irrelevant is that "Good information" link from my [EDIT] a few posts up; do not get hung up on security nonsense: quite literally more than 90% of "security advise" out there on the web is rubbish.

Finally please don't say "hashed out". While I'm aware the number sign # is also referred to as "the hash mark", "hashed out" in the common language sense would mean something having been discussed/decided upon whereas in the computer sense a "hashed value" has a very specific technical meaning nothing to do with commenting. "Commented" or "commented out" is best.

Spud1200
Level 2
Level 2
Posts: 80
Joined: Thu Mar 10, 2016 10:50 pm

Re: Completely disable ping (LM Mate 18.3, 19)

Post by Spud1200 » Wed Aug 29, 2018 6:46 pm

I've been having a look around /proc/sys/ , looking at individual files and what is and is not commented out.

For the tweaking of the Mint System as I'm on 18.3 at the moment (with plans to upgrade to 19.3 when its released) also looking at sysctl.d under /ect/ ; their also seems to be some further options for tweaking the system.

I'm genuinely trying to understand a lot of this and not sure if I'm looking in to too much at once because I have also been looking at permissions of the Linux system for a harder overall system when it comes to things such as chown and chmod.

Also I had read a bit of the good link you had posted and in regards to the Ping request; is their a good security reason why this should not be used or disabled from a security stand point for an end user like me simply running a desktop system at home.

Looking at /proc/sys/ and looking at sysctl.d under /etc/ their seems to be a lot of things I could do or one could do to harden the system.

This might all sound stupid but I'm still a novice to an extent so I appreciate your help.

rene
Level 8
Level 8
Posts: 2350
Joined: Sun Mar 27, 2016 6:58 pm

Re: Completely disable ping (LM Mate 18.3, 19)

Post by rene » Wed Aug 29, 2018 7:20 pm

Spud1200 wrote:
Wed Aug 29, 2018 6:46 pm
is their a good security reason why this should not be used or disabled from a security stand point for an end user like me simply running a desktop system at home.
There are good functional reasons why ICMP should not be disabled outright, as enumerated by the linked article. If suitably paranoid you might choose to employ a firewall to disable specifically ICMP echo, but...

Frankly, you have just asked me an only field-wise and/or in intensity differing version of:
is there a good security reason why a simple citizen like me should not lock the door and hide under the bed?
The answer's clearly that, no, there's no good security reason for not doing that. So good luck doing that.

The by far best advise I can give you is to reiterate, do not get hung up on security nonsense. The field of computer security, not even just outside of professional circles, has somehow been declared exempt of the need to in fact know what any of it is about: paranoia is all that matters. Leave while you still can....

Post Reply

Return to “Other networking topics”