Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
i'm using Suse Pro 9.1. I ran a "Shields Up" test yesterday on "all service ports", and all my ports are showing to be stealthed except one. This un-stealthed port is closed, however.
This is relatively good, i guess, but it also shows :
Solicited TCP Packets: RECEIVED (FAILED) - As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection.
Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
how do i fix these minor issues and go "Stealth Mode" (that sounds cool )
ing Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
Yes and no. I do not agree with this description. ICMP is an important infrastructure of networking and it is often used for load balancing. Dropping ICMP, especially if you're housing a server is technically wrong. If you do your work right, a ping is only a ping.
Limiting the number of ping for avoiding DoS is ok, avoiding network discoveries in ok but not dropping all icmps...
but it's only my opinion
Try inserting (I) it at the top of the ruleset:
/usr/sbin/iptables -I INPUT -p icmp -j DROP
FWIW TheIrish is correct, in that blocking all ICMP traffic is against RFC specs and can also cause Path MTU discovery failure, which can sometimes lead to connectivity issues. So, it's rather unfortunate that GRC doesn't explain the consequences of completely blocking ICMP on their site.
I'd really avoid doing packet filtering in the PREROUTING chain. The PREROUTING chain only checks the very first packet in a stream, but none of the subsequent packets are checked. In most circumstances (including this one), it's not an issue, but it can open your firewall up completely in some circumstances and therefore it's normally recommended to avoid doing so if at all possible.
i was under the impression (from what i hear around sites) that icmp traffic generated from established connections are then related traffic... tho i might be wrong, i have no way to 100% test it out on my system
Originally posted by TheIrish maybe I'm wrong, but I'm not sure it would work. Aren't ICMPs stateless?
Yeah but like UDP, there are still fields in the packets that stateful firewalls can use to determine if it is part of a connection. Source and destination addressess, type/codes or ports, and maybe the ID #.