1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Security Problem - maybe...

Discussion in 'Security' started by nevetS, Mar 8, 2006.

  1. #1
    I found that I was running out of disk space - partially due to a crazy growth in my log files. The log file showed:
    
    SFW2-OUTPUT-ERROR IN= OUT=eth0 SRC=myip DST=212.110.79.74 LEN=1044 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=0 CODE=0 ID=6666 SEQ=0
    
    Code (markup):
    I have no idea what this is, but it took me a while to figure out how to make it stop.

    I added a couple of rules with IPTABLES:
    
    iptables -A OUTPUT -d 212.110.79.74 -j REJECT
    iptables -A OUTPUT -d 210.163.43.1 -j REJECT
    
    Code (markup):
    Honestly, I don't know if this is the best solution, but it seems to have resolved my log file issue at least.

    Thought I'd share if anybody else out there is seeing anything similar.
    SEMrush
     
    nevetS, Mar 8, 2006 IP
    SEMrush
  2. digitalpoint

    digitalpoint Overlord of no one Staff

    Messages:
    38,287
    Likes Received:
    2,602
    Best Answers:
    460
    Trophy Points:
    710
    Digital Goods:
    29
    #2
    Personally, I would just block all ICMP (pings). No need for outside people to be pinging your server.
     
    digitalpoint, Mar 8, 2006 IP
  3. nevetS

    nevetS Evolving Dragon

    Messages:
    2,544
    Likes Received:
    211
    Best Answers:
    0
    Trophy Points:
    135
    #3
    You are right. I don't know why I didn't do that in the first place.
     
    nevetS, Mar 8, 2006 IP
  4. forkqueue

    forkqueue Guest

    Messages:
    401
    Likes Received:
    21
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Blocking all ICMP is a very bad idea. ICMP is used for a lot more that just ping.

    A good example is the ICMP must-fragment packet. If your server is connected with ethernet (which it almost certainly is) and your visitors have an MTU size smaller than 1500 (which they probably do if they're using PPPoA/PPPoE, as most DSL users do), then your site needs to break packets into smaller sizes. Your server gets told this by means of an ICMP must-fragment packet - but if you're dropping all ICMP you'll never be able to fragment it and so users will see broken images and the like.
     
    forkqueue, Mar 8, 2006 IP
    digitalpoint likes this.
  5. digitalpoint

    digitalpoint Overlord of no one Staff

    Messages:
    38,287
    Likes Received:
    2,602
    Best Answers:
    460
    Trophy Points:
    710
    Digital Goods:
    29
    #5
    Agreed... I should have been more specific... I (personally) just disallow icmptype 0 (ping response), which looks like this in the firewall config:

    deny log icmp from any to any in icmptype 0
    Code (markup):
    For reference, you can find the types here:

    http://www.faqs.org/docs/iptables/icmptypes.html
     
    digitalpoint, Mar 8, 2006 IP