Ping is the most commonly used command-line utility used by many sysadmins or network engineers to check whether a target machine is up or down in a given network.
We already discussed how this command works in a separate article; click here to read it. For a quick note, it sends ICMP requests to the target machine and waits for a response. Once the response is received, it’s concluded that the target machine is alive on the network.
This tool is supposed to show the status of a target machine on a given network, but many network intruders or hackers (especially newbies) use it to find active systems on the network to attack.
Now, if you’re worried about security, you can stop accepting ping requests (ICMP echo) from any system on the network by following the steps in this article.
|Description||Disable/Enable Ping Response (ICMP Echo) in Linux|
|Root or Sudo Privileges||Yes|
|OS Compatibility||Ubuntu, Manjaro, Fedora, etc.|
A Note for Readers
Now, before you go ahead and directly block the ping ICMP requests in your Linux system, you need to consider the following points.
- Your system is still discoverable even after you block the ICMP protocol via ARP tables.
- Path MTU discovery and other programs that use this service to find active hosts on the network won’t work right.
- It doesn’t improve your security by removing the ICMP protocol.
- The networking experience might get disturbed after disabling the ICMP protocol.
After considering all the points mentioned above, if you still want to disable the ping ICMP requests, then follow the next section.
Temporarily Disable the Ping ICMP Requests in Linux
You can temporarily turn off the ping ICMP requests if you are connected to an unknown (or unsecure) network for a short time.
Open your terminal emulator and execute the following command as a root user to temporarily ignore or reject all the ping ICMP requests:
$ echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all #Turn Off ICMP Request
Note that the above command will keep ignoring or rejecting all the ping ICMP requests until your system is restarted or the following command is executed:
$ echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all #Turn On ICMP Request
The above are variables in the kernel that you were using to drop all the ping ICMP requests. As these commands require you to be a root user, a normal user with sudo privileges cannot disable the ICMP request.
But if you are a sudo user and you still want to turn off the ping ICMP request, you can execute the following command with sudo permissions.
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1 #Turn Off ICMP Request
Similarly to the previous command, it will keep ignoring or rejecting all the ICMP requests until your system is restarted or the following command is executed:
$ sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0 #Turn On ICMP Request
That’s all you have to do to temporarily disable the ping ICMP requests on your Linux system.
Permanently Disable the Ping ICMP Requests in Linux
There are two separate ways to permanently disable ICMP requests on your Linux system.
- Using the kernel parameters
- Using the Iptables
Let’s see how you can permanently block the ICMP requests by following these two methods. Starting with
1. Blocking Ping ICMP Requests Using the Kernel Parameters in Linux
$ sudo vim /etc/sysctl.conf
Add the following line at the end of this file:
Lastly, execute the following command to reload the configuration changes:
$ sudo sysctl -p
Now, if someone on the network tries to send a ping ICMP request, they will get the following response:
If you want to enable the ping ICMP request, then simply remove the line from the configuration file, reload the changes, and restart your system.
2. Blocking Ping ICMP Requests Using the Iptables in Linux
If you have a little knowledge about Linux or networking, then you might have heard of iptables in Linux, which is used as a firewall to manage incoming and outgoing traffic based on a set of rules.
Using the same iptables, you can set your own rules to disable foreign ping ICMP requests made to your system using the following command:
$ sudo iptables -I INPUT -p icmp --icmp-type echo-request -j DROP
Once the above command is executed and a new set of rules are created in your iptables, all the users who try to ping your system will get the following response:
To enable the ping ICMP requests again, simply execute the following command.
$ sudo iptables -I INPUT -p icmp --icmp-type echo-request -j ACCEPT
Note that the ping ICMP requests can also be blocked via the UFW (Uncomplicated Firewall) or Firewalld in Ubuntu and Red Hat systems, but the above methods will work in both of these systems.
If you want me to include them in the article, then do let me know in the comment section. Also, your questions and queries are welcome.
Till then, peace!