In LINUX, prohibit the use of the ping command from entering the Linux system as root, then, edit the file icmp_echo_ignore_allvi/proc/sys/net/ipv4/icmp_echo_ignore_all and change the value to 1. then, an error is displayed when the PING value is changed to 0 and the PING is directly modified to unban: WARNIN...
Disable ping command in LINUX
Enter the Linux system as root, and then edit the file icmp_echo_ignore_all.
Vi/proc/sys/net/ipv4/icmp_echo_ignore_all
Change the value to 1 to disable PING.
Change the value to 0 to disable PING.
An error is prompted when you directly modify the settings:
WARNING: The file has been changed since reading it !!!
Do you really want to write to it (y/n )? Y
"Icmp_echo_ignore_all" E667: Fsync failed
Hit ENTER or type command to continue
This is because proc/sys/net/ipv4/icmp_echo_ignore_all
This is not a real file
If you want to modify the value, you can echo 0 or 1 to this file.
(Echo 0>/proc/sys/net/ipv4/icmp_echo_ignore_all ). You can add a row if you want to change it permanently.
Net. ipv4.icmp _ echo_ignore_all = 1
Go to the configuration file/etc/sysctl. conf.
How to disable PING to my WINDOWS Server
When hackers intrude into the target, most of them use the Ping command to detect the host. if the Ping fails, most of the "hackers" with poor levels will find it difficult to return. In fact, it can completely create a false picture. even if we are online, the other party cannot communicate with each other during Ping, so as to avoid many attacks.
Step 1: Add an independent management unit
Start-run. enter mmc to start the "console" window. Click "add/delete management unit" under "console", click "add", and select "IP security policy management" in the displayed window, click Add. In the displayed window, select "local computer" as the management object, click "finish", close the "add/delete management unit" window, and return to the console.
Step 2: Create an IP security policy
Right-click the added "IP Security Policy, on the local machine" (), select "create IP security policy", click "next", and enter a policy description, for example, "no Ping "(). Click "next", select "activate default response rule", and click "next ". Start setting the authentication method, select the "this string is used to protect key exchange (pre-shared key)" option, and enter some characters (these characters are also used below )(). Click "next". a message is displayed, indicating that the IP security policy has been completed. confirm that the "edit attributes" check box is selected and click "finish". the "properties" dialog box is displayed. Step 3: configure security policies
Click the Add button, and click next in the open security rule wizard to configure the tunnel termination. here, select "this rule does not specify a tunnel ". () Click "next" and select "all network connections" to ensure that all computers cannot be pinged. Click "next", set the authentication method, select the third option "this string is used to protect key exchange (pre-shared key)", and fill in the same content as the previous one. Click "next". in the displayed window, click "add" to open the "IP filter list" window. () Click "add", click "next", set the source address to "my IP address", click "next", set the target address to "any IP address", and click "next ", select ICMP as the protocol, and click "finish" and "close" to return. In this case, you can see the created filter in the IP filter list, select it, click "next", and select the filter operation as "require security settings" option (), then, click "finish" and "close" to save the relevant settings and return to the management console.
Step 4: Assign security policies
Finally, you only need to right-click the configured "Ping prohibited" policy in the "console root node" and select the "assign" command to make the configuration take effect (). After the above settings, when other computers Ping the computer again, it will no longer be connected. However, if you Ping the local computer, you can still communicate with each other. This method is effective for Windows 2000/XP.
How to prevent others from pinging
1. use advanced settings to prevent Ping
By default, all Internet Control Message Protocol (ICMP) options are disabled. If you enable the ICMP option, your network is visible on the Internet and therefore vulnerable to attacks.
To enable ICMP, you must log on to your computer as an administrator or a member of the Administrators or Administrators. right-click "network neighbors" and select "properties" from the shortcut menu to enable "network connections ", select a connection with the Internet connection firewall enabled, open its properties window, switch to the "advanced" option page, and click "settings" at the bottom. the "advanced settings" dialog window appears, on the "ICMP" tab, select the type of request information you want your computer to respond to. the check box next to it indicates that this type of request is enabled. to disable this type of request, clear the corresponding request information type.
2. use a network firewall to block Ping
Using a firewall to block Ping is the simplest and most effective method. now, basically all firewalls enable the ICMP filter function by default. Here, Kingsoft Network Firewall 2003 and Skynet firewall 2.50 are used as blue statements.
For users using Kingsoft Network rule 2003, right-click the Kingsoft Network rule 2003 icon in the system tray and select "custom IP rule editor" in the shortcut menu that appears ", in the displayed window, select the "anti-ICMP attack" rule to eliminate the "allow others to use the ping command to detect the local machine" rule. after saving the application, the rule will take effect.
If you are using Skynet firewall, click "custom IP rules" on its main interface, do not select the "prevent others from using ping command detection" rule, and select the "defend against ICMP attacks" rule, click "save/apply" to make the IP rule take effect.
3. enable IP Security Policy anti-Ping
The IP Security policy is used to configure the IPSec Security service. These policies provide various levels of protection for most communication types in most existing networks. You can configure an IPSec policy to meet the security needs of your computer, application, organization, domain, site, or global enterprise. You can use the "IP security policy" management unit provided in Windows XP to define IPSec policies for computers in Active Directory (for domain members) or local computers (for computers not in the domain.
Take windows xp as an example. go to "control panel"-"administrative tools" to open "local security policy" and select an IP security policy. here, we can define our own IP security policies. An IP security filter consists of two parts: filter policy and filter operation. To create an IP security filter, you must create your own filter policy and filter operations. right-click "IP Security Policy, on the local machine" on the left side of the window ", in the shortcut menu that appears, select "create IP security policy", click "next", and enter the policy name and policy description. Click "next", select "activate default response rule", and click "next ". Start setting the authentication method of the response rule, select the "this string is used to protect key exchange (pre-shared key)" option, and enter some characters (these characters will be used later ), click "next". a message is displayed, indicating that the IP security policy has been completed. confirm that the "edit attributes" check box is selected and click "finish". the "properties" dialog box is displayed.
Next, configure the new security policy. In the "rules" option page of the "Goodbye Ping properties" dialog box, click the "add" button, and click "next" in the open security rules wizard to set the tunnel termination, select "this rule does not specify a tunnel ". Click "next" and select "all network connections" to ensure that all computers cannot be pinged. Click "next", set the authentication method, select the third option "this string is used to protect key exchange (pre-shared key)", and enter the same content as above. Click "next" to open the "IP filter list" window, select "New IP filter list" in "IP filter list", and click "edit" on the right ", in the displayed window, click "add", click "next", set "source address" to "my IP address", and click "next ", set "target address" to "any IP address", click "next", select ICMP as the protocol type, click "finish", and click "OK" to return to the window 9, click "next" and select the "require security" option for filter operations, then, click "next", "complete", "OK", and "close" to save the relevant settings and return to the management console.
Finally, in "local security settings", right-click the configured "Goodbye Ping" policy and select the "assign" command in the shortcut menu to make the configuration take effect.
After the above settings ,?. Why? However, the Ping to the computer is no longer successful. However, if you Ping your local computer, you can still Ping it. In Windows 2000, the operations are basically the same.
4. modify the TTL value to prevent Ping
Many intruders like to use the TTL value to determine the operating system. First, they Ping your host. if the TTL value is 128, they think that your system is Windows NT/2000, if the TTL value is 32, the operating system of the target host is Windows 95/98. if the TTL value is 255/64, the host is regarded as a UNIX/Linux operating system. Since intruders believe the results returned by the TTL value, we may wish to modify the TTL value to deceive the intruders to protect the system. The method is as follows:
Open the "notepad" program in Windows and write the following batch processing command:
@ Echo REGEDIT4> ChangeTTL. reg
@ Echo.> ChangeTTL. reg
@ Echo [HKEY_LOCAL_MACHINESystemCurrentControlSetServicesTcpipParameters]> ChangeTTL. reg
@ Echo DefaultTTL = dword: 000000ff> ChangeTTL. reg
@ REGEDIT/S/C ChangeTTL. reg
Save. bat is a batch file with the extension. click this file. the default TTL value of your operating system will be changed to ff, that is, 255 in decimal format, that is to say, you have changed your operating system to a UNIX system!
DefaultTTL = dword: 000000ff is used to set the default TTL value of the system. if you want to change the TTL value of your operating system to the ICMP echo response value of other operating systems, please change the DefaultTTL key value. Note that its key value is in hexadecimal notation.
How to prohibit others from pinging their hosts (2000 built-in)
My computer-control panel-administrative tools-local security policy-ip security policy
This is the ip address management configuration tool provided by 2000. here I will only talk about how to prevent others from pinging my host.
There are four steps:
1. Create a ping rule
2. Create prohibition/allow rules
3. Associate these two rules
4. Assign
Details:
1. Right-click ip security policy-manage ip filter table and filter operations-ip filter list-Add: Name: ping; description: ping; (check "use add Wizard "), --- add-Next step: specify the source/destination ip address and protocol type (icmp). click next to complete. close this dialog box.
2. Manage ip filter tables and filters-manage filters-add (select "use add Wizard")-Next: name: refuse; description: refuse-next: Block-next to complete.
3. Right-click ip security policy-create ip security policy-next: Name: disable ping; -- next: cancel activation default response rule-next: select edit attribute. Next, click "disable ping attribute"> "add" (check "use add Wizard")> next to "authentication method". select the third item and enter the shared string-Next step: in the ip filter list, select "ping -- next: Select" refuse-next to complete.
This is the rule "ping prohibited" on the right side of "local security settings", but it does not work yet.
4. Right-click "disable ping" -- Assign.
This time, an ip policy is completed to prohibit others from pinging their machines.
Hurry up and try a machine. your machine won't work. Will prompt: Request timeout (timeout ).
The above is just a small ip address filter. You can create other ip policies by yourself.
From: Life, drips and drips ......