Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 13 Aug 2003 15:09:15 +0200
From:      Ruben de Groot <mail23@bzerk.org>
To:        Andy Farkas <andyf@speednet.com.au>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Restricting ICMP
Message-ID:  <20030813130915.GA86196@ei.bzerk.org>
In-Reply-To: <20030813215540.T90272-100000@hewey.af.speednet.com.au>
References:  <200308130956.H7D9U28E022832@asarian-host.net> <20030813215540.T90272-100000@hewey.af.speednet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Aug 13, 2003 at 10:01:03PM +1000, Andy Farkas typed:
> Mark wrote:
> 
> > I am just not very fond of the idea of local users starting ICMP wars over
> > the net, using my server :) I have already had an instance where a web-user
> > did an excessive ping attack on one of his buddies. And, naturally, I want
> > to prevent that. The chmod u-s idea mentioned here, was a good idea. Except
> > that, prefereably, I'd like all of wheel to have access, and the rest not.
> > And that may be harder to implement.
> 
> If your users play up, put your BOFH hat on and lart them.
> 
> chmod'ing /sbin/ping is useless - users can compile their own version of
> ping.
 
They can compile all they want, but they can't make the command suid root,
which is required for ping to work.

ruben@ei:/home/ruben> cp /sbin/ping .
ruben@ei:/home/ruben> ./ping localhost
ping: socket: Operation not permitted

So I would say taking away the s bit (or the execute bit for others) can
be very usefull.

-Ruben

> Make your users aware that abusing ping (and other net resources) will get
> them kicked and banned from your system.
> 
> --
> 
>  :{ andyf@speednet.com.au
> 
>         Andy Farkas
>     System Administrator
>    Speednet Communications
>  http://www.speednet.com.au/
> 
> 
> 
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030813130915.GA86196>