Date: Wed, 13 Aug 2003 14:17:08 +0100 From: "Markie" <markie@notwentytwo.freeserve.co.uk> To: "Andy Farkas" <andyf@speednet.com.au>, "Mark" <admin@asarian-host.net> Cc: freebsd-questions@freebsd.org Subject: Re: Restricting ICMP Message-ID: <003101c3619d$34565a20$e400a8c0@ape> References: <20030813215540.T90272-100000@hewey.af.speednet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Andy Farkas" <andyf@speednet.com.au> To: "Mark" <admin@asarian-host.net> Cc: <freebsd-questions@freebsd.org> Sent: Wednesday, August 13, 2003 1:01 PM Subject: Re: Restricting ICMP > Mark wrote: > > > I am just not very fond of the idea of local users starting ICMP wars over > > the net, using my server :) I have already had an instance where a web-user > > did an excessive ping attack on one of his buddies. And, naturally, I want > > to prevent that. The chmod u-s idea mentioned here, was a good idea. Except > > that, prefereably, I'd like all of wheel to have access, and the rest not. > > And that may be harder to implement. > > If your users play up, put your BOFH hat on and lart them. > > chmod'ing /sbin/ping is useless - users can compile their own version of > ping. Is it? I thought it was setuid root for a reason :o) mrboo@beast:/home/mrboo$ ls -l /sbin/ping -r-sr-xr-x 1 toor wheel 469492 Aug 11 14:57 /sbin/ping No but really, copy ping to your user home, as a user, from /usr/src/sbin/ping and compile it yourself... mrboo@beast:/home/mrboo/ping$ make Warning: Object directory not changed from original /usr/home/mrboo/ping cc -O -pipe -march=pentium2 -DIPSEC -Wsystem-headers -Werror -Wall -Wno-f ormat-y2k -Wno-uninitialized -c ping.c ./ping cc -O -pipe -march=pentium2 -DIPSEC -Wsystem-headers -Werror -Wall -Wno-f ormat-y2k -Wno-uninitialized -o ping ping.o -lm -lipsec bonegzip -cn ping.8 > ping.8.gz mrboo@beast:/home/mrboo/ping$ ./ping bone ping: socket: Operation not permitted mrboo@beast:/home/mrboo/ping$ I just woke up, so it may well be I am just being stupid :o) > Make your users aware that abusing ping (and other net resources) will get > them kicked and banned from your system. > > -- > > :{ andyf@speednet.com.au > > Andy Farkas > System Administrator > Speednet Communications > http://www.speednet.com.au/ > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003101c3619d$34565a20$e400a8c0>