Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Allow ping or not ?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Allow ping or not ?

What are the dangers of allowing a server to respond to ping?

When choosing a vm from a cloud provider I often want to check how quickly it can communicate with my main server. This is normally done using the providers 'looking glass' to ping remotely.
However good security practice tends to say allowing ping makes it easier for others to find your server.

So should I allow ping responses from my main server or not?

Comments

  • disabling ping is nothing but security-by-obscurity, and thus should be avoided

  • ezethezeth Member, Host Rep

    I disable it where I can, why not. Why do I want to respond to ping?

  • @ezeth said:
    I disable it where I can, why not. Why do I want to respond to ping?

    smokeping?

  • ericlsericls Member, Patron Provider

    Disabling ping is fine, but disabling ICMP can be bad for network

  • ShakibShakib Member, Patron Provider

    Mostly shady people likes to disable ICMP. They close up their boxes every way they can and sometimes end up blocking network by mistake, breaking OS, etc.

  • The bad guys scan for numerous open ports across wide ranges of IP's. Having ping disabled does very little for security. They will "find you" one way or the other.

    Thanked by 1that_guy
  • ezethezeth Member, Host Rep

    @Shakib said:
    Mostly shady people likes to disable ICMP. They close up their boxes every way they can and sometimes end up blocking network by mistake, breaking OS, etc.

    Ah yes, the if you got nothing to hide you got nothing to fear argument

    Thanked by 1dystopia
  • BinaryBinary Member, Host Rep

    ICMP is quite a common attack vector nowadays, and is not a highly important protocol.
    Uptime checks can still be done using TCP.

  • mcgreemcgree Member
    edited November 2021

    @pri11er said:
    The bad guys scan for numerous open ports across wide ranges of IP's. Having ping disabled does very little for security. They will "find you" one way or the other.

    Disabled all IPv4 inbound, then I use IPv6 to manage the server, and not on the common port, not XXXX::1 IP.

    Almost no one will scan my server,It would probably be safer if @yoursunny gave me an IPv9.

  • yoursunnyyoursunny Member, IPv6 Advocate

    I don't disable ping on my servers.

    You may use the following command to see RTT to a ping-disabled server:

    sudo traceroute -T -p 443 192.0.2.2
    

    This uses TCP SYN packet.
    It needs to target an open TCP port.


    @mcgree said:
    Disabled all IPv4 inbound, then I use IPv6 to manage the server, and not on the common port, not XXXX::1 IP.

    Mentally strong people keep SSH on port 22.
    Those who attempt to bruce force SSH password are periodically submitted to Santa Claus for inclusion in the naughty list.

    Thanked by 1lanefu
  • Thanks everyone - pretty much sums up my feelings.
    I will only allow ping responses on my public facing storage server (using sshfs) but lock down via iptables to my other vms for ssh access.

  • risharderisharde Patron Provider, Veteran

    @msatt maybe it's a lean thing? I remember back in the days when ping was an actual valid attack because the connections were smaller back then, machines has less resources as well. I'm not too sure if you can ping a machine to death any longer - so I'll think of it in terms of whether ping is important for the owner of the server - if it isn't, blocking it is like theoretically blocking an additional unrequired service (maybe?). If I'm however missing some important vulnerability with ping, please educate me but that's what I think. Pretty much all my VMs and servers I own have ping disabled - never needed to disable it on them.

  • LowHostingLowHosting Member, Host Rep

    @Binary said:
    ICMP is quite a common attack vector nowadays, and is not a highly important protocol.
    Uptime checks can still be done using TCP.

    I confirm, there are benefits by disabling ICMP requests, such as avoiding some type of (DDoS) attacks.

Sign In or Register to comment.