Date: Thu, 30 Nov 2006 13:24:24 -0600 From: Lane <lane@joeandlane.com> To: freebsd-questions@freebsd.org Subject: Re: stop a freebsd server from responding to pinging? Message-ID: <200611301324.24259.lane@joeandlane.com> In-Reply-To: <365084.23607.qm@web37213.mail.mud.yahoo.com> References: <365084.23607.qm@web37213.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 30 November 2006 12:55, Wasp King wrote: > 1. How do I stop others from port scanning a server? > > 2. is stopping the response to pinging enough? > > 3. how to do I stop the server from responding to > pinging? > > Running FreeBSD 4.2 and 6.1. > > I changed the /etc/rc.network file to "NO" for > broadcast ping responses, and this did not work (still > responding to ping) when I rebooted: > > > case ${icmp_bmcastecho} in > [Yy][Ee][Ss]) > echo -n ' broadcast ping responses=NO' > sysctl net.inet.icmp.bmcastecho=1 > > >/dev/null > Wasp, Check out /usr/ports/security/portsentry to reject portscan attempts. By default it uses /etc/hosts.deny, which is deprecated. But you can configure it to run a command ("KILL_ROUTE" in portsentry.conf) to do just about anything you want. My KILL_ROUTE command is a perl script that sends syslog entries to /var/log/auth.log, which are intercepted by /usr/ports/security/sshit to only temporarily block an offending ip using ipfw. It also sends an email notification at the time of the attempt, so I can be sure to keep an eye on the trouble-maker. BTW: I think to completely block ping/traceroute you would add an ipfw rule like: ipfw add drop icmp from any to any in via $eternal_nic But that may introduce complications I'm unaware of ... lane
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200611301324.24259.lane>