-2

I have a Linux system which has a number of services disabled (for example, telnet). When a telnet client attempts a connection, the system responds with an ICMP "Destination Unreachable". Is there a way, short of modifying the Linux network stack, to disable this behavior?

Dave
  • 35
  • 1
  • 2
  • 10
    Do not do this. – Zoredache May 31 '13 at 00:37
  • If it is from @Zoredache, then you should consider it helpful. – Mircea Vutcovici May 31 '13 at 01:08
  • As an aside, Windows XP SP2 doesn't send these responses at all. I don't see why it's such a sin. – Dave May 31 '13 at 01:10
  • The fact that you ask this kind of question and you do not know how to use a firewall to filter them shows your lack of knowledge. Your question should be "What are the reasons to filer or not ICMP destination unreachable?" – Mircea Vutcovici May 31 '13 at 01:30
  • 3
    @Dave The [faq] states that you should ask questions about problems that you are facing. What problem is disabling this ICMP reply going to solve for you? What benefit is it going to bring? If it's "just to see what will happen" you're on the wrong site. If there's a real problem you think it will solve, you should tell us so that we can evaluate the problem as a whole and possibly provide an alternative solution. Rarely is "drop ICMP" the right answer. – MDMarra May 31 '13 at 01:31
  • You are right that I lack knowledge in how to configure the firewall in Linux. If there's a way to do this with the firewall, then please tell me. I'm don't want the community to tell me what will or won't happen because of this--that's the job that I'm trying to accomplish by disabling the responses. Is there a different stackexchange community site that I should post the question to? – Dave May 31 '13 at 01:34
  • 2
    You still haven't answered the question of "what problem are you trying to solve by doing this?" But, if you must be difficult and evasive, try Super User or Unix & Linux. Just make sure to read their faq first. – MDMarra May 31 '13 at 01:36
  • I've found what's probably one of many ways of doing this: iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP – Dave May 31 '13 at 01:38
  • 1
    @Zoredache Why not? I not on cisco devices you can turn this on and off. It is supposed to be for increased security as in it's harder to get information about your network? I need to implement the ability to turn this on and off on a switch atm. – Paul Jun 04 '13 at 10:24
  • Same question to you @MDMarra I meant "I know on cisco devices" – Paul Jun 04 '13 at 10:30
  • ICMP is used for things like MTU path discovery and is also used in things like AD for slow-link detection. It was not meant to be blocked. What does ICMP reveal that banner grabbing doesn't? I've never heard a compelling argument for blocking ICMP for security reasons. – MDMarra Jun 04 '13 at 10:39
  • @MDMarra I am not sure why it is supposed to increase security, I only know that cisco recommends it for incresed security, why? and that clients are asking my company for the feature, I want to know why myself. II asked about it here: http://serverfault.com/questions/513067/reasons-to-turn-off-on-unreachables-messages – Paul Jun 04 '13 at 10:48
  • @Paul that's my point exactly. Some people blindly recommend it (though I've never seen Cisco recommend it). The people that say "Block ping!!" Never seem to know that there's more to ICMP than just ping and they don't understand how it impacts the bug picture. If you're asking me how it increases security, my answer is that it doesn't. – MDMarra Jun 04 '13 at 10:54
  • I see, I wonder why cisco recommend it in all their router/switch documentation.They say best practice is to enable this so PMTU works but to disable it for increased security. Online I see this: An attacker could gather information’s about your network when scanning it, like unused IP’s and networks. When working with (interface-) Access-Lists, a deny statement triggers an ICMP Type 3 Code 9/10 message (Network/Host is Administratively Prohibited). When disabling ICMP unreachables on the interface where the ACL is applied, the deny statement acts like a ‘drop’ and does not reply. – Paul Jun 04 '13 at 11:04

1 Answers1

4

The destination unreachable ICMP packet is a standard Internet control message which indicates that there is no service available on that port. There's generally no reason to disable it (and you didn't give one).

But if you really want to disable it, you can just change your firewall rules to drop packets rather than rejecting them. (Wait, you are firewalled, right?)

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Do you mean that I can configure the firewall to drop the ICMP responses? Or configure it to drop the inbound telnet packets? – Dave May 31 '13 at 01:01
  • 2
    You can do either, but it's most common to drop inbound traffic which you don't intend to explicitly allow. – Michael Hampton May 31 '13 at 01:02
  • Do you know how to configure the firewall on Linux to drop the ICMP responses? I've already disabled ICMP echo responses via "echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_all" but this doesn't go far enough as it doesn't disable the ICMP Destination Unreachable responses (hence my original question). – Dave May 31 '13 at 01:05
  • 3
    Again, you **really should not do this** without an **especially good reason**. – Michael Hampton May 31 '13 at 01:05
  • This is for a task on a physically isolated network with a particular set of goals in mind. This won't affect any other network. – Dave May 31 '13 at 01:07
  • As an aside, Windows XP SP2 doesn't send these responses at all. I don't see why it's such a sin. – Dave May 31 '13 at 01:10
  • Nobody has given me a good reason for not doing this other than "don't do this." – Dave May 31 '13 at 01:15
  • 1
    Using a deprecated buggy version of a 10 year old OS is generally not a compelling argument. – Joel E Salas May 31 '13 at 01:17
  • 1
    Probably because no one wants to give you a lecture on the purpose of ICMP and how dropping it doesn't make anything more secure. It's a long lecture to give, after all, and the IETF have it all published in RFCs anyway. – MDMarra May 31 '13 at 01:18
  • That is not helpful. – Dave May 31 '13 at 01:18
  • I'm not looking to improve security. – Dave May 31 '13 at 01:18
  • 2
    Then what do you have to gain? Why are you doing it? – MDMarra May 31 '13 at 01:19
  • 1
    It seems that the serverfault community is more interested in a flamewar than providing concise technical answers. When I figure out how to do it, I'll post the answer here. – Dave May 31 '13 at 01:24
  • 1
    No, we're **professionals**, and that means doing it right. You seem to be stuck on **doing it wrong**, and that is the cause of the problem here. – Michael Hampton May 31 '13 at 01:25
  • Can you tell me how to accomplish this using iptables? – Dave May 31 '13 at 01:27
  • @MichaelHampton Why not turn it off? On cisco devices you can turn this on and off. It is supposed to be for increased security as in it's harder to get information about your network? I need to implement the ability to turn this on and off on a switch for my company so i am learning about it. – Paul Jun 04 '13 at 10:31
  • @Paul Just plain disabling ICMP across the board is security theater. It gains you absolutely nothing, and breaks the Internet. So you lose twice. – Michael Hampton Jun 04 '13 at 14:11
  • @MichaelHampton Yeah I can see it's not wise, I did see they say to turn it off in an ccsp book. I know you should leave it on but I have to implement turning it off now :/ – Paul Jun 05 '13 at 10:51