Protect your computer against ping

About the ping command

Through the ICMP protocol, that is, the popular command ping We can know if a certain computer is alive on the network, if we have routes, I walk to it without problems.

So far it seems beneficial and it is, however like many good tools or applications, it can be used for harmful purposes, for example a DDoS with ping, which can translate into 100.000 requests with ping per minute or per second, which could crash the end computer or our network.

Be that as it may, on certain occasions we want our computer not to respond to ping requests from others on the network, that is, to appear not to be connected, for this we must disable the ICMP protocol response in our system.

How to verify if we have enabled the ping response option

There is a file in our system that allows us to define in an extremely simple way, if we have enabled the ping response or not, it is: / proc / sys / net / ipv4 / icmp_echo_ignore_all

If that file contains a 0 (zero), then everyone who pings us will get a response whenever our computer is online, however, if we put a 1 (one) then it does not matter if our PC is connected or not, it will appear not to be.

In other words, with the following command we will edit that file:

sudo nano /proc/sys/net/ipv4/icmp_echo_ignore_all

We change the 0 for 1 and we press [Ctrl] + [O] to save, and then [Ctrl] + [X] to exit.

Ready, our computer does NOT respond to the ping of others.

Alternatives to protect ourselves from ping attacks

Another alternative is obviously using a firewall, using iptables it can also be done without much hassle:

sudo iptables -A INPUT -p icmp -j DROP

Then remember, the iptables rules are cleaned when the computer is restarted, we must by some method save the changes, either through iptables-save and iptables-restore, or by making a script ourselves.

And this has been it 🙂


The content of the article adheres to our principles of editorial ethics. To report an error click here!.

17 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   neysonv said

    excellent contribution. Tell me, would it serve to avoid disconnection requests ??? like when they want to crack the network using aircrack-ng. I say because if apparently we are disconnected they will not be able to send us such requests. Thanks for the input

    1.    PopArch said

      It doesn't work that way, this only blocks the icmp echo response, so if someone wants to test the connection with an icmp echo request your computer will do icmp echo ignore and therefore the person who is trying to test the connection will get a Response type "host seems to be down or blocking ping probes", but if someone is monitoring the network with airodump or some similar tool, they will be able to see that you are connected because these tools are analyzing the packets that are sent to the AP or received from AP

  2.   Frank Sanabria said

    It should be noted, that it is only temporary, after restarting your pc it will receive pings again, to make it permanent, with respect to the first trick configure the /etc/sysctl.conf file and at the end add net.ipv4.icmp_echo_ignore_all = 1 and with respect The second tip is similar but more "Long" (Save Iptables Conf, make an interface script up that runs when the system starts, and stuff)

  3.   mmm said

    Hi. Could it be that something is wrong? or what could it be? because in ubuntu there is no such file ......

  4.   Franz said

    It was flawless as always.
    A small observation, when closing nano is not faster Ctrl + X and then exit with Y or S
    Respects

  5.   Yukiteru said

    Excellent tip, @KZKG, I use the same tip among many others in order to improve the security of my PC and the two servers I work with, but to avoid the iptables rule, I use sysctl and its folder configuration /etc/sysctl.d/ with a file to which I attach the necessary commands so that with each restart they are loaded and my system boots with all the values ​​already modified.

    In the case of using this method, just create a file XX-local.conf (XX can be a number from 1 to 99, I have it in 50) and write:

    net.ipv4.icmp_echo_ignore_all = 1

    Already with that they have the same result.

    1.    jsan92 said

      Pretty simple solution, thanks
      What other commands do you have in that file?

      1.    Yukiteru said

        Any command that has to do with sysctl variables and can be manipulated through sysctl can be used in this way.

      2.    Frank Sanabria said

        To see the different values ​​that you can enter to the sysctl type in your terminal sysctl -a

  6.   Solrak Rainbowarrior said

    In openSUSE I have not been able to edit it.

  7.   David said

    Good.
    Another faster way would be using sysctl

    #sysctl -w net.ipv4.icmp_echo_ignore_all = 1

  8.   cpollane said

    As said, in IPTABLES you can also reject a ping request for everything by:
    iptables -A INPUT -p icmp -j DROP
    Now, if we want to reject any request except a specific one, we can do it in the following way:
    We declare variables:
    IFEXT = 192.168.16.1 #my IP
    AUTHORIZED IP = 192.168.16.5
    iptables -A INPUT -i $ IFEXT -s $ AUTHORIZED IP -p icmp -m icmp –icmp-type echo-request -m length –length 28: 1322 -m limit –limit 2 / sec –limit-burst 4 -j ACCEPT

    In this way we authorize only that IP to ping our PC (but with limits).
    I hope it is useful to you.
    Salu2

  9.   loverdelinux ... nolook.com said

    Wow, the differences between users, while the windowseros talk about how to play halo or the evil within Linux boring the world with things like this.

    1.    KZKG ^ Gaara said

      And that is why Windowseros then only know how to play, while Linuxeros are the ones who really know advanced administration of OS, networks, etc.
      Thank you for giving us your visit 😀

  10.   userarch said

    Coordiales Greetings
    The theme of is very useful and helps to some extent.
    Thank you.

  11.   Gonzalo said

    when the windows find out about this you will see they go crazy

  12.   lolo said

    in iptables that you have to put the ip in the IMPUT and in the DROP something else?