At some server hardening situation, we may need to disable the PING response, and we can do it as the following.
Edit /etc/sysctl.conf
sysctl is used to modify the kernel parameters at runtime, so we can affect the ping response parameter by add/edit the following line into /etc/sysctl.conf config file:
net.ipv4.icmp_echo_ignore_all=1
Then:
sysctl -p
same time to turn off ping echo for ipv6 setting or add net.ipv6.icmp.echo_ignore_all=1 is working.
Or execute as root
# sysctl -a | grep -i icmp net.netfilter.nf_conntrack_icmp_timeout = 30 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.icmp_errors_use_inbound_ifaddr = 0 ----------------- -----------------
To turn off ping, net.ipv4.icmp_echo_ignore_all = 1 is working.
# sysctl -w net.ipv4.icmp_echo_ignore_all=1 # sysctl -p
sysctl -p is to loading in sysctl settings from the file specified or /etc/sysctl.conf
Now try to ping your system from another system. It will not work. To enable it again,
# sysctl -w net.ipv4.icmp_echo_ignore_all=0
same time to turn off ping echo for ipv6 #sysctl-w net.ipv6.icmp.echo_ignore_all=1 is working.
Using iptables:
iptables -I INPUT -p icmp --icmp-type echo-request -j DROP
and can save using /etc/init.d/iptables save
With crontab:
Run crontab -e as root, then add the following line:
@reboot echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
and same for ipv6 @reboot echo "1" > /proc/sys/net/ipv6/icmp/echo_ignore_all