New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Allow ping or not ?
What are the dangers of allowing a server to respond to ping?
When choosing a vm from a cloud provider I often want to check how quickly it can communicate with my main server. This is normally done using the providers 'looking glass' to ping remotely.
However good security practice tends to say allowing ping makes it easier for others to find your server.
So should I allow ping responses from my main server or not?
Comments
disabling ping is nothing but security-by-obscurity, and thus should be avoided
I disable it where I can, why not. Why do I want to respond to ping?
smokeping?
Disabling ping is fine, but disabling ICMP can be bad for network
Mostly shady people likes to disable ICMP. They close up their boxes every way they can and sometimes end up blocking network by mistake, breaking OS, etc.
The bad guys scan for numerous open ports across wide ranges of IP's. Having ping disabled does very little for security. They will "find you" one way or the other.
Ah yes, the if you got nothing to hide you got nothing to fear argument
ICMP is quite a common attack vector nowadays, and is not a highly important protocol.
Uptime checks can still be done using TCP.
Disabled all IPv4 inbound, then I use IPv6 to manage the server, and not on the common port, not XXXX::1 IP.
Almost no one will scan my server,It would probably be safer if @yoursunny gave me an IPv9.
I don't disable ping on my servers.
You may use the following command to see RTT to a ping-disabled server:
This uses TCP SYN packet.
It needs to target an open TCP port.
Mentally strong people keep SSH on port 22.
Those who attempt to bruce force SSH password are periodically submitted to Santa Claus for inclusion in the naughty list.
Thanks everyone - pretty much sums up my feelings.
I will only allow ping responses on my public facing storage server (using sshfs) but lock down via iptables to my other vms for ssh access.
@msatt maybe it's a lean thing? I remember back in the days when ping was an actual valid attack because the connections were smaller back then, machines has less resources as well. I'm not too sure if you can ping a machine to death any longer - so I'll think of it in terms of whether ping is important for the owner of the server - if it isn't, blocking it is like theoretically blocking an additional unrequired service (maybe?). If I'm however missing some important vulnerability with ping, please educate me but that's what I think. Pretty much all my VMs and servers I own have ping disabled - never needed to disable it on them.
I confirm, there are benefits by disabling ICMP requests, such as avoiding some type of (DDoS) attacks.