Prohibit the use of PING commands under Linux
Enter the Linux system with root and edit the file Icmp_echo_ignore_all
Vi/proc/sys/net/ipv4/icmp_echo_ignore_all
To disable ping after changing its value to 1
To unblock ping after changing its value to 0
Direct modification prompts an error:
Warning:the file has been changed since reading it!!!
Do your really want to write to it (y/n)? y
"Icmp_echo_ignore_all" E667:fsync failed
Hit ENTER or type command to continue
This is because Proc/sys/net/ipv4/icmp_echo_ignore_all
This is not a real file.
If you want to change his value, echo 0 or 1 to this file.
(That is, echo 0 >/proc/sys/net/ipv4/icmp_echo_ignore_all ). Add a line if you want to make permanent changes
Net.ipv4.icmp_echo_ignore_all=1
To the configuration file/etc/sysctl.conf
How to prevent my Windows Server from being ping
Hackers in search of objects, most of the use of ping command to detect the host, if the ping impassability, the level of the "hackers" will most likely shrink. In fact, it can create a false impression, even if we are online, but the other side ping can not be connected, so that many attacks to avoid.
First step: Add standalone snap-in
Start-run, enter: MMC, start open the console window. Click Add/Remove Snap-ins under the Console menu, click the Add button, select the IP Security Policy Management item in the pop-up window, and clicking the Add button. In the open window, select the management object as the local computer, click Finish, and close the Add/Remove Snap-in window, and return to the main console.
(Figure I)
Step Two: Create an IP Security policy
Right-click the IP Security policy that you just added, on the local machine (figure II), select Create IP Security Policy, click Next, and enter a policy description, such as "No Ping" (Figure III). Click Next, select the Activate Default response rule option, and then click Next. Start setting the authentication method, select the "This string is used to protect the key exchange (preshared key)" option, and then casually enter some characters (these characters are also used below) (Figure IV). When you click Next, you are prompted to complete the IP Security policy, confirming that the Edit properties check box is selected, and clicking the Finish button opens its Properties dialog box.
(Figure II)
(Figure III)
(Figure IV)
Step Three: Configure security Policy
Click the Add button, and in the Open Security Rule Wizard, click Next to make the tunnel finalization setting, where you select "This rule does not specify a tunnel." (Figure VI) Click "Next" and select "All network Connections" to ensure that all computers are not ping. Click Next to set the authentication method, as above select the third option "This string is used to protect the key exchange (preshared key)" and fill in the same content as just now. Click Next, and in the Open window, click the Add button to open the IP Filter List window. (Figure Seven) Click "Add", click Next to set the source address to my IP address, click Next, set the destination address to any IP address, click Next, select the Protocol as ICMP, and now click Finish and close to return. At this point, you can see the filter you just created in the IP filter list. When selected, click Next, select the filter action to Require Security settings option (Figure Eight), and then click the Finish, Close button to save the related settings and return to the admin console.
(Figure V)
(Figure VI)
(Figure Seven)
(Figure Eight)
Step Fourth: assigning Security Policies
Finally, simply right-click the configured "No ping" policy in the Console root node and select the Assign command to make the configuration effective (figure nine). With the above settings, when other computers ping the computer again, they are no longer connected. But if you ping your local computer, you can still connect. This method is valid for Windows 2000/XP.
(Figure Nine)
How to prevent people from being ping
First, use the advanced setting method to prevent ping
By default, all Internet Control Message Protocol (ICMP) options are disabled. If you enable the ICMP option, your network will be visible on the Internet and therefore vulnerable to attack.
If you want to enable ICMP, you must be logged on to the computer as an administrator or Administrators group member, right-click My Network Places, select Properties on the pop-up shortcut menu, turn on networking, choose the connection that has Internet Connection Firewall enabled, and open its Properties window. and switch to the Advanced Options page, click "Settings" below, so that the Advanced Settings dialog window appears, on the ICMP tab, tick the type of request information you want your computer to respond to, and the check box next to the table to enable this type of request, and if you want to disable, clear the appropriate request information type.
Second, the use of network firewall blocking ping
Using firewalls to block Ping is the easiest and most effective way to do this, and now basically all firewalls have ICMP filtering enabled by default. In this, to Jinshan Network Dart 2003 and Skynet Firewall 2.50 version for the blueprint to illustrate.
For the use of Jinshan Net Dart 2003 netizens, please use the mouse right click on the system tray in the Jinshan Dart 2003 icon, in the shortcut menu pop-up select "Utility" in "Custom IP Rule Editor", in the window that appears select "Defense ICMP type attack" rule, eliminate " Allow others to ping command to detect the local "rule, save the application after the effect."
If you are using a skynet firewall, click on the "Custom IP rule" in its main interface, and then uncheck the "Prevent others from ping command" rule, tick the "defend ICMP attack" rule, and click "Save/Apply" to make the IP rule effective.
Iii. Enable IP Security policy anti-ping
IP Security, the IPSec policy, is used to configure IPSec security services. These policies provide various levels of protection for most communication types in most existing networks. You can configure IPSEC policies to meet the security needs of your computer, application, organizational unit, domain, site, or global enterprise. You can use the IP security policy snap-in provided in Windows XP to define IPSEC policies for computers in Active Directory (for domain members) or for local computers (for computers that do not belong to a domain).
For example, in Windows XP, open Local Security policy by using Control Panel-Administrative Tools, and choose IP Security Policy, where we can define our own IP Security policies. An IP Security filter consists of two parts: filtering policies and filtering operations. To create a new IP Security filter, you must create your own filtering policies and filtering actions, right-click the IP security policy on the left side of the window, select "Creating IP Security Policy" from the pop-up shortcut menu, click Next, and then enter the policy name and policy description. Click Next, select the Activate Default response rule option, and then click Next. Start setting up response rule authentication by selecting the "This string is used to protect the key exchange (preshared key)" option, then casually enter some characters (which will be used later), click Next, and you will be prompted to complete the IP Security policy, confirm that the Edit properties check box is selected, and click the Finish button , the Properties dialog box opens.
The next step is to configure the new security policy. In the Rules Options page of the Goodbye Ping Properties dialog window, click the Add button, and in the Open Security Rule Wizard, click Next to make the tunnel finalization setting, where this rule does not specify a tunnel. Click Next and select all network connections to ensure that all computers are not pinging. Click Next to set the authentication method, as above select the third option "This string is used to protect the key exchange (preshared key)" and fill in the same content as above. Click Next to open the IP Filter List window and select New IP filter list in the IP filter list. Click Edit on the right, click Add in the window that appears, click Next, set the source address to my IP address, click Next, and set the destination address "To any IP address, click Next", select the protocol type is ICMP, click Finish and then click OK to return to the window shown in Figure 9, click Next, select the filter action as the Require Security option, and then click Next, Finish, OK, close button to save the related settings to return to the admin console.
Finally, in local security settings, right-click the configured "Goodbye Ping" policy and select the "Assign" command on the pop-up shortcut menu to make the configuration effective.
After the setting above,?. Lu liling flutter regret 貾 when ing the computer, it will no longer ping. But if you ping your local computer, you can still ping it. Operations are essentially the same in Windows 2000.
Iv. modifying TTL values to prevent ping
Many intruders like to use TTL values to determine the operating system, they will first ping your machine, such as See the TTL value of 128 think your system is Windows nt/2000, if the TTL value of 32 is considered the target host operating system for Windows 95/ 98, if the TTL value is 255/64, it is considered to be the Unix/linux operating system. Since the intruder believes that the TTL value reflects the result, then we may wish to modify the TTL value to deceive the intruder, to protect the system. The method is as follows:
Open the Notepad program that you have with Windows, and write the batch command as shown below:
@echo Regedit4>>changettl.reg
@echo. >>changettl.reg
@echo [Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters]>>changettl.reg
@echo Defaultttl=dword:000000ff>>changettl.reg
@REGEDIT/S/C Changettl.reg
Save as a batch file with a. bat extension, click this file, your operating system default TTL value will be modified to FF, that is, decimal 255, that is, your operating system to the UNIX system artificially!
DEFAULTTTL=DWORD:000000FF is used to set the system default TTL value, if you want to change the TTL value of your operating system to the ICMP echo response value of other operating systems, alter the DEFAULTTTL key value, note that its key value is 16.
How to prevent people from pinging their own host (2000-band)
My Computer-control Panel-management tools-Local Security policy-IP security Policy
This is 2000 to our configuration of IP management tools, I just say how to prohibit others ping my host.
A total of four steps:
1. Establish a ping-ban rule
2. Establish a prohibition/allow rule
3. To link the two rules together
4. Assigned
With:
1. Right-click IP Security Policy-Manage IP filter table and filter actions-IP filter List-add: Name: Ping; Description: ping; (tick "Use Add Wizard"),---add-Next: Specify Source/Destination IP, Protocol type (ICMP), and then close this dialog box until it is complete.
2. Manage IP filter tables and filter actions-manage filter actions-Add (tick "Use Add Wizard")-Next: Name: Refuse; Description: refuse--Next: Block-next step to completion.
3. Right-click IP Security Policy-Create IP Security Policy-Next: Name: Prohibit ping;--Next: Deactivate the default response rule-Next: Select Edit Properties-Finish. Then "Prohibit ping properties" on-Add (tick "Use Add Wizard")-Next to "Authentication method"; Select the third item, enter the shared string-Next: In the IP filter list, select "ping--Next: Select" refuse-next to finish.
This is where you see the "Prohibit ping" rule on the right side of "Local Security settings", but now he's not working.
4. Right-click "Prohibit ping"--assign.
This time, an IP policy that prohibits people from pinging their own machines is complete.
Find a machine and try your own machine. Prompt: Request timeout (timeout).
The above is just a small IP filter. You can make other IP policies yourself.