Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 13 Aug 2003 14:17:08 +0100
From:      "Markie" <markie@notwentytwo.freeserve.co.uk>
To:        "Andy Farkas" <andyf@speednet.com.au>, "Mark" <admin@asarian-host.net>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Restricting ICMP
Message-ID:  <003101c3619d$34565a20$e400a8c0@ape>
References:  <20030813215540.T90272-100000@hewey.af.speednet.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help

----- Original Message -----
From: "Andy Farkas" <andyf@speednet.com.au>
To: "Mark" <admin@asarian-host.net>
Cc: <freebsd-questions@freebsd.org>
Sent: Wednesday, August 13, 2003 1:01 PM
Subject: Re: Restricting ICMP


> Mark wrote:
>
> > I am just not very fond of the idea of local users starting ICMP wars
over
> > the net, using my server :) I have already had an instance where a
web-user
> > did an excessive ping attack on one of his buddies. And, naturally, I
want
> > to prevent that. The chmod u-s idea mentioned here, was a good idea.
Except
> > that, prefereably, I'd like all of wheel to have access, and the rest
not.
> > And that may be harder to implement.
>
> If your users play up, put your BOFH hat on and lart them.
>
> chmod'ing /sbin/ping is useless - users can compile their own version of
> ping.

Is it? I thought it was setuid root for a reason :o)

mrboo@beast:/home/mrboo$ ls -l /sbin/ping
-r-sr-xr-x  1 toor  wheel  469492 Aug 11 14:57 /sbin/ping

No but really, copy ping to your user home, as a user, from
/usr/src/sbin/ping and compile it yourself...

mrboo@beast:/home/mrboo/ping$ make
Warning: Object directory not changed from original /usr/home/mrboo/ping
cc -O -pipe -march=pentium2 -DIPSEC    -Wsystem-headers -Werror -Wall -Wno-f
ormat-y2k -Wno-uninitialized  -c ping.c
./ping
cc -O -pipe -march=pentium2 -DIPSEC    -Wsystem-headers -Werror -Wall -Wno-f
ormat-y2k -Wno-uninitialized   -o ping ping.o -lm -lipsec
bonegzip -cn ping.8 > ping.8.gz
mrboo@beast:/home/mrboo/ping$ ./ping bone
ping: socket: Operation not permitted
mrboo@beast:/home/mrboo/ping$

I just woke up, so it may well be I am just being stupid :o)

> Make your users aware that abusing ping (and other net resources) will get
> them kicked and banned from your system.
>
> --
>
>  :{ andyf@speednet.com.au
>
>         Andy Farkas
>     System Administrator
>    Speednet Communications
>  http://www.speednet.com.au/
>
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003101c3619d$34565a20$e400a8c0>