LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-05-2006, 05:20 AM   #16
iNeo
LQ Newbie
 
Registered: Feb 2006
Posts: 13

Rep: Reputation: 0

Quote:
Originally Posted by win32sux
well, if you filter the pings with regular iptables instead of sysctl.conf it's just a matter of adding a LOG target rule... so anytime someone pings you it will show-up in /var/log/syslog:
Code:
iptables -I INPUT -p ICMP --icmp-type 8 \
-m state --state NEW -j LOG
What I meant was, the person who pings would see a message (that we had configured) when he tried to ping our system.
 
Old 02-05-2006, 06:12 AM   #17
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by iNeo
What I meant was, the person who pings would see a message (that we had configured) when he tried to ping our system.
oh, okay... well, i don't know how to do that... i'm sure someone else does, though...

i'm thinking maybe what we do is mangle the outgoing icmp echo reply or something like that??

could you provide an IP/domain we could ping to see these customized replies?? i don't think i've ever seen one, but i'm not sure... basically you're saying we could put any text in the reply, right??

Last edited by win32sux; 02-05-2006 at 06:14 AM.
 
Old 02-06-2006, 05:55 PM   #18
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
ineo
you may try using REJECT (--reject-with) instead of DROP. Check the man pages.
 
Old 02-06-2006, 06:03 PM   #19
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by ppuru
ineo
you may try using REJECT (--reject-with) instead of DROP. Check the man pages.
Code:
 REJECT
       This is used to send back an error packet in response  to  the  matched
       packet:  otherwise it is equivalent to DROP so it is a terminating TAR-
       GET, ending rule traversal.  This target is only valid  in  the  INPUT,
       FORWARD  and  OUTPUT  chains,  and  user-defined  chains which are only
       called from those chains.  The following option controls the nature  of
       the error packet returned:

       --reject-with type
              The type given can be
               icmp-net-unreachable
               icmp-host-unreachable
               icmp-port-unreachable
               icmp-proto-unreachable
               icmp-net-prohibited
               icmp-host-prohibited or
               icmp-admin-prohibited (*)
              which  return  the appropriate ICMP error message (port-unreach-
              able is the default).  The option tcp-reset can be used on rules
              which  only match the TCP protocol: this causes a TCP RST packet
              to be sent back.  This  is  mainly  useful  for  blocking  ident
              (113/tcp)  probes  which  frequently  occur when sending mail to
              broken mail hosts (which won't accept your mail otherwise).

       (*) Using icmp-admin-prohibited with kernels that  do  not  support  it
       will result in a plain DROP instead of REJECT
so basically we have to choose one of those messages right?? like, we don't get to make our own??
 
Old 02-07-2006, 04:40 AM   #20
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Why do you want to do this?
Either you respond with a correct reply or you want to stay invisible (which is stupid if you have one tcp port open or your firewall sends a reject when being probed on one port).

Basically when a cracker sees a prohibited message, he will be very interesting in hacking your box. Prohibited things always brings curiosity.

Some windows machine (windows 2000 in LAN, I don't know in WAN environment) send ping request automatically, without the user doing anything so you will end up with "false positive" events. Ping is nothing, its a connectivity test, not a scan. Its not a proof of an attack, it can precede an attack/scan maybe.

Also in rfc 1812 it states that only admin_prohibited should be used and only on routers. So you show your box as being a router, hum even more interesting!

Quote:
Defined Code 9 for communication with
destination network administratively prohibited and Code 10 for
communication with destination host administratively prohibited.
These codes were intended for use by end-to-end encryption devices
used by U.S military agencies. Routers SHOULD use the newly defined
Code 13 (Communication Administratively Prohibited) if they
administratively filter packets.
You can be interested in trying this for a little time but for a general use, either dont respond (AT ALL, not only ping, stay invisible) or let your kernel respond normally.
 
Old 02-07-2006, 11:45 AM   #21
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
dude i'm not interested in doing this. i'm just interested in knowing if it can be done or not. iNeo's original question sounded like he wanted to be able to make a *customized* message be sent back. after reading your post about the cracker we still don't know the answer. so for now i'll assume there's no easy way to do it, or that in fact it can't be done. perhaps we just get to choose from those types of replies, and the message the person doing the ping gets on his side depends on HIS setup??
 
Old 02-07-2006, 12:56 PM   #22
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
My first question was to the OP but I forgot to mention it. Sorry.. The title mentions blocking, then the OP asks for changing the data in return and then somebody pointed to reject. I tried to answer to 2 of them, the other *I* find it stupid. If its for fun on a home machine then maybe as you said mangling icmp_echo_replies should do the trick.
Microsoft had(have) this also hard coded, they always returned ABCDE.. or something like this which violates the rfc (Data received in the ICMP_ECHO request MUST be included in the reply)
 
Old 02-07-2006, 05:24 PM   #23
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
It's my understanding that an ICMP (Ping) packet has specific codes that mean one of the pre-defined errors (listed in win32sux' post of the iptables options). This means that the only messages you can return are the pre-defined ones and that anything you put into the "data" section of an ICMP packet is filler and will be ignored. As far as stopping pings for security, if you are going to do it then either drop them or report host unreachable, anything else will just peak the interest of any potential hackers even more.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Slow First Ping Reply Fr33B5D Linux - Networking 4 08-27-2005 10:07 AM
Configure ping reply time rabeea General 6 01-27-2005 02:08 AM
Return true or false if I have ping reply Menestrel Programming 4 11-29-2004 12:40 AM
No ping reply bambolin Linux - Networking 6 10-29-2004 06:18 AM
no ping reply siriuz Linux - Networking 2 03-16-2004 01:53 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration