Bobcares

ufw block ping – Quickest way

by | Nov 1, 2019

Want to block ping in servers using UFW?

Enabling ping on the server can make the server prone to attacks like Ping flood, Ping of death, etc.

Fortunately, UFW has user-friendly options to block PING requests on the server.

At Bobcares, we often receive requests regarding the UFW firewall as a part of our Server Management Services.

Today, let us discuss how Support Engineers block ping and tighten server security.

 

What is ICMP and why block ping?

ICMP (Internet Control Message Protocol) is an error-reporting protocol for the network devices. ICMP differs from transport protocols such as TCP and UDP. It is not typically used to exchange data between systems.

Basically, Ping uses the ICMP Echo function. It can even give details about our server set up. Thus, one of the main reasons to block ping is to hide our infrastructure from others. It also prevents DOS-based attacks and ping sweeps on ICMP.  Here the attacker deliberately sends an IP packet larger than the 65,536 bytes and this eventually makes the server unresponsive.

Disabling ping will protect from old style worms which use ICMP echo request. In this case, when the server responds with ICMP Echo Reply packets, it consumes both outgoing bandwidth as well as incoming bandwidth. Further, this makes the server slow too.

 

How to block ping using UFW

Let us discuss how we block ping for servers using the UFW firewall.

Recently one of our customers requested us to block ping to this server. He has a ubuntu server using the UFW firewall. Let us discuss how our Support Engineers resolved the error.

The rules for ICMP ping is mentioned in the file before.rules. The file is present in the location /etc/ufw/before.rules.

Therefore, before making any changes our Support Engineers usually take a backup of the file.

cp /etc/ufw/before.rules /etc/ufw/before.rules_backup_date

Now we open the file and we need to change the below rules.

vi /etc/ufw/before.rules

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

We change the rules from ACCEPT to DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

After changing the rule we finally reload the UFW service.

ufw reload

 

Common tools like ping and traceroute that uses ICMP are necessary for administration and troubleshooting network issues. Thus disabling it ping and traceroute will not work. The application that requires host response will fail to work.

Disabling the full ICMP protocol may not be a good idea in securing a network. Instead, we can disable a subset of ICMP types that can be done based on the requirement. Thus selective blocking PING on the server is a default security practice that our Security Engineers recommend to server owners.

[Facing trouble with the firewall? We are here to help you.]

 

Conclusion

In short, we have discussed how our Support Engineers use the UFW block PING option. Also, we saw how blocking PING requests secure the server from PING based attacks.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.