Allow / deny ping on Linux server using CSF Firewall

On this post we will learn how to allow / deny ping on Linux servers, this is useful for both plain CentOS / Ubuntu servers running CSF Firewall, as well as cPanel based servers. But first, let’s learn what is ICMP after all.

What is ICMP?

ICMP means Internet Control Message Protocol, it is an important part of the part of the internet protocol suite because it is widely used by millions of networks around the globe day by day.

Servers, computers, network devices such as routers, gateways and more use the ICMP protocol to indicate the state of the network on the host where it is running. If enabled, ICMP will report if the host is down or unreacheable for some reason.

Lot of internet connection diagnosis tools like ping and traceroute use ICMP to detect network failures on remote servers.

How can I allow / deny ping on Linux if I’m using CSF firewall?

If you are using CSF firewall on a plain server (like CentOS, RHEL, Ubuntu or Debian), you can always edit the csf.conf main configuration file. Let’s see an example:

nano -w /etc/csf/csf.conf

Now look for this variable: “ICMP_IN” and set it to “0”, as you see below:

ICMP_IN = "0"
Fig. 01. ICMP_IN configuration on CSF firewall
Fig. 01. ICMP_IN configuration on CSF firewall

Once you are done, restart CSF firewall to apply changes:

csf -r

Enable / Disable PING (ICMP) using CSF WHM interface

If you are using cPanel on your server the CSF Firewall ICMP configuration can be altered from WHM control panel from:

WHM » Plugins » ConfigServer Security & Firewall

Now edit the configuration file from ‘Firewall Configuration’ button, as you see below:

Fig. 01. Firewall Configuration - CSF Firewall on WHM
Fig. 02. Firewall Configuration – CSF Firewall on WHM

Search for “ICMP_IN” variable, and set it to Off, as you see below:

Fig. 02. Allow / deny ping on Linux is easy if you use CSF Firewall interface on WHM altering the ICMP_IN variable
Fig. 03. Allow / deny ping on Linux is easy if you use CSF Firewall interface on WHM altering the ICMP_IN variable

Save and restart by hitting “Change” button at the bottom of the page. After that, click “Restart csf + lfd” button to apply the changes.

Conclusion

While ping can not be a direct factor of system vulnerability, it allows a remote attacker to know when your server has network response again using the ICMP protocol. The best solution to prevent this is simply enabling ICMP but only for the whitelists hosts we have inside the csf.allow and csf.ignore files.

Further reading:

About the Author: Martin Keler

Leave a Reply

Your email address will not be published. Required fields are marked *