Stopping ICMP timestamp-request/response for CentOS Server

Published December 4th, 2008

Problem Statement

If you have PCI DSS compliance requirements for your Web server doing ecommerce, you probably have a third-party scanner that checks your security compliance, in such case you might already be aware of the fact that ICMP timestamp-request and timestamp-response is not good to have turned on. These type of ICMP packets allows a potential intruder to calculate your server’s local time and possibly also do a fingerprint of your operating system. It is a good idea to disable these packets. Here we will show you how.

Disabling ICMP timestamp-request and timestamp-response requests

To disable these ICMP packet types, you can add a iptables firewall rule in your /etc/sysconfig/iptables file as follows:

-A RH-Firewall-1-INPUT -p ICMP --icmp-type timestamp-request -j DROP
-A RH-Firewall-1-INPUT -p ICMP --icmp-type timestamp-reply -j DROP

Then restart the iptables service using service iptables restart and check the iptables using: iptables -L -n you should see two lines as shown below:

DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 13
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 14

These rules tells centos to drop the ICMP timestamp packets.

Disabling ICMP echo requests

If you would much rather have your server not reply to typical ping (ICMP echo) requests, you can disable it by adding the following line in your /etc/rc.local script.

echo  1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

You should also run the above command immediately to disable ping right away.

Category: SSH, Security | Tags: