How to disable PING response in Linux

At some server hardening situation, we may need to disable the PING response, and we can do it as the following.

Edit /etc/sysctl.conf

sysctl is used to modify the kernel parameters at runtime, so we can affect the ping response parameter by add/edit the following line into  /etc/sysctl.conf config file:

net.ipv4.icmp_echo_ignore_all=1

Then:

sysctl -p
same time to turn off ping echo for ipv6 setting or add net.ipv6.icmp.echo_ignore_all=1 is working.

Or execute as root

# sysctl -a | grep -i icmp
net.netfilter.nf_conntrack_icmp_timeout = 30
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.icmp_errors_use_inbound_ifaddr = 0
-----------------
-----------------

To turn off ping, net.ipv4.icmp_echo_ignore_all = 1 is working.

# sysctl -w net.ipv4.icmp_echo_ignore_all=1
# sysctl -p

sysctl -p is to loading in sysctl settings from the file specified or /etc/sysctl.conf

Now try to ping your system from another system. It will not work. To enable it again,

# sysctl -w net.ipv4.icmp_echo_ignore_all=0

same time to turn off ping echo for ipv6 #sysctl-w net.ipv6.icmp.echo_ignore_all=1 is working.

Using iptables:

iptables -I INPUT -p icmp --icmp-type echo-request -j DROP

and can save using /etc/init.d/iptables save

With crontab:

Run crontab -e as root, then add the following line:

@reboot echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

and same for ipv6 @reboot echo "1" > /proc/sys/net/ipv6/icmp/echo_ignore_all

You may also like...

Leave a Reply