From owner-freebsd-questions@FreeBSD.ORG Thu Nov 30 19:10:44 2006 Return-Path: X-Original-To: questions@freebsd.org Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EC9CC16A407 for ; Thu, 30 Nov 2006 19:10:44 +0000 (UTC) (envelope-from wmoran@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id 775D543CA2 for ; Thu, 30 Nov 2006 19:10:32 +0000 (GMT) (envelope-from wmoran@collaborativefusion.com) Received: from vanquish.pgh.priv.collaborativefusion.com (vanquish.pgh.priv.collaborativefusion.com [192.168.2.61]) (SSL: TLSv1/SSLv3,256bits,AES256-SHA) by wingspan with esmtp; Thu, 30 Nov 2006 14:10:41 -0500 id 0005648E.456F2CB1.0000BE68 Date: Thu, 30 Nov 2006 14:10:40 -0500 From: Bill Moran To: Wasp King Message-Id: <20061130141040.1e25f78a.wmoran@collaborativefusion.com> In-Reply-To: <365084.23607.qm@web37213.mail.mud.yahoo.com> References: <20061130120959.437ada40.wmoran@collaborativefusion.com> <365084.23607.qm@web37213.mail.mud.yahoo.com> Organization: Collaborative Fusion X-Mailer: Sylpheed version 2.2.9 (GTK+ 2.10.6; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: questions@freebsd.org Subject: Re: stop a freebsd server from responding to pinging? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Nov 2006 19:10:45 -0000 In response to Wasp King : > 1. How do I stop others from port scanning a server? Drive to their house and smash their computer. > 2. is stopping the response to pinging enough? No. In fact, not responding to ping is a bad idea. Disabling ping responses violates certain RFCs and is a tactic taken by sysadmins who should know better. Additionally, a determined scanner won't care whether you respond to ping or not, so it doesn't even gain you anything. nmap, probably the most popular scanner out there, has an option to scan without pinging, and even _recommends_ turning that on if you try to ping and get no responses. > 3. how to do I stop the server from responding to > pinging? You can always use pf or ipfw, if you _really_ want to go down that road. > Running FreeBSD 4.2 and 6.1. > > I changed the /etc/rc.network file to "NO" for > broadcast ping responses, and this did not work (still > responding to ping) when I rebooted: > > > case ${icmp_bmcastecho} in > [Yy][Ee][Ss]) > echo -n ' broadcast ping responses=NO' > sysctl net.inet.icmp.bmcastecho=1 > >/dev/null That just stops it from responding to ping requests destine for the broadcast address, which is a topic of some debate. It will still respond to ping requests sent directly to it. Anyway, the question that you didn't ask is "how do I secure my system from network attacks". The Q&D answer is: 1) only run network services that you really need 2) ensure those services are properly secured If you do those two, who cares if you get portscanned? -- Bill Moran Collaborative Fusion Inc.