Disable ICMP echo (ping) responses in Linux

Many malicious attacks begin with a ping scan. Disabling ICMP echo requests prevents your system’s discovery with a ping.


As superuser, add the following lines to /etc/sysctl.conf

net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_echo_ignore_all = 1

Then run the following command to cause the change to take effect immediately:

sysctl -p

This change will persist following a reboot.

 

About Quinn McHenry

Quinn was one of the original co-founders of Tech-Recipes. He is currently crafting iOS applications as a senior developer at Small Planet Digital in Brooklyn, New York.
View more articles by Quinn McHenry

The Conversation

Follow the reactions below and share your own thoughts.

  • Wytch

    /etc/sysctl.conf is not working man

  • Aram Iskenderian

    No disrespect intended towards the author of this article or the site in general, but I am sorry to say this, this absolutely not a smart thing to do, bad advice.

    If your server does not respond to ping there is no way you will be able to monitor it and tell if it is up and responding.

    This is also worthless since a simple port scan is all what it takes. If the port is open, then disabling ICMP echo/responding to ping is really not a security measure. Running a simple telnet address port will tell the other side if the port is open, or even better any person who is really looking to attack your server will simply issue a simple nmap scan:

    nmap -sS -A -v [hostname or IP]

    Will not only list the open ports but will also list lots of other information about the target system, including OS finger print.

    Instead, use iptabels, and combine that with /etc/hosts.deny or more automated/intelligent blocking like fail2ban, SSHGuard Denyhosts for that matter.

    Keep a close eye on your server, harden the security, enable logwatch, install IDS package like snort or others, …etc.

    • Guillermo Simeon

      Aram is so right…