Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey-
i'm using Suse Pro 9.1. I ran a "Shields Up" test yesterday on "all service ports", and all my ports are showing to be stealthed except one. This un-stealthed port is closed, however.
This is relatively good, i guess, but it also shows :
Quote:
Solicited TCP Packets: RECEIVED (FAILED) - As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection.
and
Ping Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
how do i fix these minor issues and go "Stealth Mode" (that sounds cool )
It handles pings (echo request and replies) and several other additional functions like letting the system know that the remote system is unreachable, etc.
ing Reply: RECEIVED (FAILED) - Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
Yes and no. I do not agree with this description. ICMP is an important infrastructure of networking and it is often used for load balancing. Dropping ICMP, especially if you're housing a server is technically wrong. If you do your work right, a ping is only a ping.
Limiting the number of ping for avoiding DoS is ok, avoiding network discoveries in ok but not dropping all icmps...
but it's only my opinion
Try inserting (I) it at the top of the ruleset:
/usr/sbin/iptables -I INPUT -p icmp -j DROP
FWIW TheIrish is correct, in that blocking all ICMP traffic is against RFC specs and can also cause Path MTU discovery failure, which can sometimes lead to connectivity issues. So, it's rather unfortunate that GRC doesn't explain the consequences of completely blocking ICMP on their site.
I'd really avoid doing packet filtering in the PREROUTING chain. The PREROUTING chain only checks the very first packet in a stream, but none of the subsequent packets are checked. In most circumstances (including this one), it's not an issue, but it can open your firewall up completely in some circumstances and therefore it's normally recommended to avoid doing so if at all possible.
its discouraged to use chains for things they are not meant for, can cause a few problems
and yes, disabling ICMP can lead to problems, as your computer also wont get info on the state of a network if you drop all of these packets, maybe something like
iptables -A INPUT -m state --state RELATED -j ACCEPT
iptables -A INPUT -p icmp -j DROP
this allows all related traffic, like a error sent back to you by icmp, this should prevent connectivity issues, if you want to use it only from icmp just use
iptables -A INPUT -m state --state RELATED -p icmp -j ACCEPT
instead...
to block pings other then with iptables you can disable it at the kernel level: browse thru the /proc system
let me go see if i can track the folder here down here ....
i was under the impression (from what i hear around sites) that icmp traffic generated from established connections are then related traffic... tho i might be wrong, i have no way to 100% test it out on my system
Originally posted by TheIrish maybe I'm wrong, but I'm not sure it would work. Aren't ICMPs stateless?
Yeah but like UDP, there are still fields in the packets that stateful firewalls can use to determine if it is part of a connection. Source and destination addressess, type/codes or ports, and maybe the ID #.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
)
