On this post we will learn how to allow / deny ping on Linux servers, this is useful for both plain CentOS / Ubuntu servers running CSF Firewall, as well as cPanel based servers. But first, let’s learn what is ICMP after all.
What is ICMP?
ICMP means Internet Control Message Protocol, it is an important part of the part of the internet protocol suite because it is widely used by millions of networks around the globe day by day.
Servers, computers, network devices such as routers, gateways and more use the ICMP protocol to indicate the state of the network on the host where it is running. If enabled, ICMP will report if the host is down or unreacheable for some reason.
Lot of internet connection diagnosis tools like ping and traceroute use ICMP to detect network failures on remote servers.
How can I allow / deny ping on Linux if I’m using CSF firewall?
If you are using CSF firewall on a plain server (like CentOS, RHEL, Ubuntu or Debian), you can always edit the csf.conf main configuration file. Let’s see an example:
nano -w /etc/csf/csf.conf
Now look for this variable: “ICMP_IN” and set it to “0”, as you see below:
ICMP_IN = "0"
Once you are done, restart CSF firewall to apply changes:
Enable / Disable PING (ICMP) using CSF WHM interface
If you are using cPanel on your server the CSF Firewall ICMP configuration can be altered from WHM control panel from:
WHM » Plugins » ConfigServer Security & Firewall
Now edit the configuration file from ‘Firewall Configuration’ button, as you see below:
Search for “ICMP_IN” variable, and set it to Off, as you see below:
Save and restart by hitting “Change” button at the bottom of the page. After that, click “Restart csf + lfd” button to apply the changes.
While ping can not be a direct factor of system vulnerability, it allows a remote attacker to know when your server has network response again using the ICMP protocol. The best solution to prevent this is simply enabling ICMP but only for the whitelists hosts we have inside the csf.allow and csf.ignore files.