1

I want to disable ping response all the time. I use the following command for disable ICMP ping 

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

what should I do for disable TCP ping ?

Víctor Marcianes
  • 41
  • 4
    There is no "TCP ping" in the way that you seem to think it does exist. ICMP works at Layer 3 (no ports), whereas "TCP ping" connects to any open TCP port, like 80. It's a bit of a misnomer. – Christopher Dec 17 '18 at 17:20
  • 2
    As @Christopher says, TCP "ping" is just a fancy name for a program that (ab)uses the TCP protocol to confirm if a port listening in that TCP service number is open. So, if you want to provide that service.... The TCP ping "service" per se does not exist. As for disabling ICMP pings in iptables, it is a waste of resources, you have a sysctl kernel setting just for that. – Rui F Ribeiro Dec 17 '18 at 17:22
  • I want to make sure someone cant check whether the tcp port is open or not – Víctor Marcianes Dec 17 '18 at 17:38
  • 3
    Are you able to edit the question and explain better what are you after? – Rui F Ribeiro Dec 17 '18 at 17:51
  • 1
    I want to make sure someone cant check whether the tcp port is open or not Why? What's the point of having an open port then? Anyone can test if the port is open simply by trying to connect to it. Anyone you want to give the ability to connect to can easily tell if the port is open. – Andrew Henle Dec 18 '18 at 00:20

1 Answers1

7

TCP "ping" is just a fancy name for some programs/a method which (ab)uses the TCP protocol to probe if a port listening in that TCP service number is open.

So, if providing a service for the Internet at large, such as a Web/HTTP Service, there is no way to block that TCP port on particular from answering, if it is listening, or otherwise it will break the inner workings of the TCP/IP protocol.

For a service for restricted/your team use, you can do port knocking to hide it. see Allow SSH access after port knocking from any source IP for an example.

What you can do however, for not having machines scanning all your TCP/IP ports close/open state with success, is creating rules for only allowing incoming connections for your needed services, and DROP the connections to all other TCP ports.

It is important that packets are DROP(ed) and not REJECT(ed). See Is it better to set -j REJECT or -j DROP in iptables?

As for ignoring/dropping ICMP ping requests for the server itself, it makes more sense doing it at kernel level, see How to Disable Ping Response ( ICMP echo ) in Linux all the time?

For further details about the TCP protocol, I advise the reference book "TCP/IP Illustrated, the protocols" 2nd edition, Stevens et al. https://en.wikipedia.org/wiki/TCP/IP_Illustrated

P.S. Needless to say, the best security is not having services open to the Internet at large, in the first place.

Proper enforcing of DMZ - frontend/backend infrastructures, and planning properly a network infrastructure goes a long way. Including security features such as firewall and enforcing VPN use for remote access.

Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232