您现在的位置是:首页 >其他 >Ubuntu禁ping配置网站首页其他

Ubuntu禁ping配置

洛克希德马丁 2024-07-18 18:01:02
简介Ubuntu禁ping配置

提示:文章写完后,目录可以自动生成,如何生成可参考右边的帮助文档


前言

很长一段时间ping都是检测服务器是否在线的一种手段,当然有时候也会成为黑客喜欢使用的一种工具。很多服务器出于保护策略都会采取禁ping的操作,用来在互联网上隐匿。今天我就演示禁止Ubuntu的ping,理论上适合Ubuntu的所有主流版本;其他发行版请自行测试。


一、ping是什么?

ping (Packet Internet Groper)是一种因特网包探索器,用于测试网络连接量的程序 。Ping是工作在 TCP/IP网络体系结构中应用层的一个服务命令, 主要是向特定的目的主机发送 ICMP(Internet Control Message Protocol 因特网报文控制协议)Echo 请求报文,测试目的站是否可达及了解其有关状态。

二、使用ping

如果你的系统里没有ping工具,你需要安装它。有了就不需要额外安装。

sudo apt update
sudo apt install iputils-ping

1.简单用法

ping的用法很多,最简单的莫过于:

ping <host>

这个地方需要简单说下,如果你给的是ip地址会直接执行命令,如果给的是域名会去解析域名成ip地址,再去执行命令。这个不难理解,ping针对的是ip地址。

假如,你ping的ip地址在线而且没有禁ping,你就会得到类似下面的打印:

ping www.baidu.com
PING www.a.shifen.com (180.101.50.242) 56(84) bytes of data.
64 bytes from 180.101.50.242 (180.101.50.242): icmp_seq=1 ttl=47 time=8.75 ms
64 bytes from 180.101.50.242 (180.101.50.242): icmp_seq=2 ttl=47 time=8.66 ms
64 bytes from 180.101.50.242 (180.101.50.242): icmp_seq=3 ttl=47 time=8.64 ms
64 bytes from 180.101.50.242 (180.101.50.242): icmp_seq=4 ttl=47 time=8.66 ms
64 bytes from 180.101.50.242 (180.101.50.242): icmp_seq=5 ttl=47 time=8.64 ms
64 bytes from 180.101.50.242 (180.101.50.242): icmp_seq=6 ttl=47 time=8.69 ms
64 bytes from 180.101.50.242 (180.101.50.242): icmp_seq=7 ttl=47 time=8.64 ms

简单解读下,(180.101.50.242)是解析出的目标ip地址。
icmp_seq:请求序列,ubuntu系统默认是一直请求的,直到Ctrl+C。
ttl:是time to live的缩写,意思是每跨一层路由数值就减1,如果减为0了就被路由器丢弃并通知你超时。超时的例子我没遇到过,默认是64,最大可以是255,正常情况下不会跳这么多路由。
time:一次请求的时间,时间越短网路越快,越大说明网路越慢。

2.高阶用法

代码如下(示例):

Usage: ping [-aAbBdDfhLnOqrRUvV64] [-c count] [-i interval] [-I interface]
            [-m mark] [-M pmtudisc_option] [-l preload] [-p pattern] [-Q tos]
            [-s packetsize] [-S sndbuf] [-t ttl] [-T timestamp_option]
            [-w deadline] [-W timeout] [hop1 ...] destination
Usage: ping -6 [-aAbBdDfhLnOqrRUvV] [-c count] [-i interval] [-I interface]
             [-l preload] [-m mark] [-M pmtudisc_option]
             [-N nodeinfo_option] [-p pattern] [-Q tclass] [-s packetsize]
             [-S sndbuf] [-t ttl] [-T timestamp_option] [-w deadline]
             [-W timeout] destination

如果目标地址是ipv4直接使用ping即可,如果目标地址是ipv6需要加上-6。
下面介绍几个简单的:
-t:指定ttl,默认是64,最大是255,如果指定太小会到不了目的地就被超时丢弃了,一般默认就好
-c:很简单,ping几次的意思,ubuntu默认会一直发,如果你想ping3次就停止就加上-c 3即可
-i:每个包间隔发送时间,单位是秒,但是可以设置诸如0.3这样的浮点型数据,指的是300毫秒;如果想设置小于200毫秒,需要root权限。
-w:等待对方响应的超时时间,如果你ping了一个离线的服务器,你可能要等很长时间才会得到超时的响应。这个就是超时时间,比如设为1秒,如果1秒内没有收到对方响应就结束,而且$?得到非零值,这个命令用来测试局域网设备离线很有用。
其他:请自行研究,由于这篇文章是教大家设置禁ping的,所以其他参数就不说这么多了,请参考官方文档。

       Damaged packets are obviously serious cause for alarm and often indicate broken hardware somewhere in the ping packet's path (in the network or in the hosts).

TRYING DIFFERENT DATA PATTERNS
       The  (inter)network layer should never treat packets differently depending on the data contained in the data portion.  Unfortunately, data-dependent problems have been known to sneak into
       networks and remain undetected for long periods of time.  In many cases the particular pattern that will have problems is something that doesn't have sufficient ``transitions'',  such  as
       all  ones  or  all  zeros,  or a pattern right at the edge, such as almost all zeros.  It isn't necessarily enough to specify a data pattern of all zeros (for example) on the command line
       because the pattern that is of interest is at the data link level, and the relationship between what you type and what the controllers transmit can be complicated.

       This means that if you have a data-dependent problem you will probably have to do a lot of testing to find it.  If you are lucky, you may manage to find a file that either can't  be  sent
       across  your  network or that takes much longer to transfer than other similar length files.  You can then examine this file for repeated patterns that you can test using the -p option of
       ping.

TTL DETAILS
       The TTL value of an IP packet represents the maximum number of IP routers that the packet can go through before being thrown away.  In current practice you can expect each router  in  the
       Internet to decrement the TTL field by exactly one.

       The TCP/IP specification states that the TTL field for TCP packets should be set to 60, but many systems use smaller values (4.3 BSD uses 30, 4.2 used 15).

       The  maximum  possible value of this field is 255, and most Unix systems set the TTL field of ICMP ECHO_REQUEST packets to 255.  This is why you will find you can ``ping'' some hosts, but
       not reach them with telnet(1) or ftp(1).

       In normal operation ping prints the TTL value from the packet it receives.  When a remote system receives a ping packet, it can do one of three things with the TTL field in its response:

       · Not change it; this is what Berkeley Unix systems did before the 4.3BSD Tahoe release. In this case the TTL value in the received packet will be 255 minus the number of routers  in  the
         round-trip path.

       · Set it to 255; this is what current Berkeley Unix systems do.  In this case the TTL value in the received packet will be 255 minus the number of routers in the path from the remote sys‐
         tem to the pinging host.

       · Set it to some other value. Some machines use the same value for ICMP packets that they use for TCP packets, for example either 30 or 60.  Others may use completely wild values.

BUGS
       · Many Hosts and Gateways ignore the RECORD_ROUTE option.

       · The maximum IP header length is too small for options like RECORD_ROUTE to be completely useful.  There's not much that can be done about this, however.

       · Flood pinging is not recommended in general, and flood pinging the broadcast address should only be done under very controlled conditions.

SEE ALSO
       netstat(1), ifconfig(8).

HISTORY
       The ping command appeared in 4.3BSD.

       The version described here is its descendant specific to Linux.

       As of version s20150815, the ping6 binary doesn't exist anymore.  It has been merged into ping. Creating a symlink named ping6 pointing to ping will result in  the  same  funcionality  as
       before.

SECURITY
       ping  requires  CAP_NET_RAW  capability  to be executed 1) if the program is used for non-echo queries (See -N option), or 2) if kernel does not support non-raw ICMP sockets, or 3) if the
       user is not allowed to create an ICMP echo socket.  The program may be used as set-uid root.

AVAILABILITY
       ping is part of iputils package and the latest versions are  available in source form at http://www.skbuff.net/iputils/iputils-current.tar.bz2.

iputils-161105                                                                             28 June 2019                                                                                    PING(8)

三、禁止ping

ubuntu禁止ping需要借助sysctl这个工具,这个工具这里不多介绍了,实时修改内核运行参数的工具。

1.命令行方式

命令行方式可以实时生效,唯一的缺点是系统重启效果就消失。使用方法如下:

sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1

1:设置忽略icmp响应(ping就是通过icmp协议,这个是ip的子协议具体请查阅百科)。
0:取消忽略icmp响应,恢复到可以ping的状态。

和配置文件不一样的是=和数值之间没有空格,否则执行失败。

2.配置文件

默认保存在/etc/sysctl.conf中,一般sysctl.conf中保存了几个比较常用的指令(比如转发)。向禁ping这种命令可能配置文件里是没有的,我们需要手动加在里面,就加在最后一行就行了。

net.ipv4.icmp_echo_ignore_all = 1

这里对空格没有特别要求,可以有,也可以没有,一样生效。

加完命令记得w保存下。这个时候命令只有在下一次开机的时候才会重新读取配置文件然后生效,你需要执行下sysctl的命令让它实时生效。

sudo sysctl -p

只要成功了,禁ping就生效了。需要注意的是:这个命令不需要指定配置文件路径,它会加载默认的/etc/sysctl.conf,特别注意:配置文件里配置的其他命令也会跟着生效,如果这不是你期望的,记得先注释掉(命令前#)。

四、检验效果

1.测试效果

很简单,执行下面命令:

ping <禁ping服务器>

这里说一个有意思的现象:就是自己ping自己还有响应吗?还是只禁止外部的ping了呢?答案是全部禁止,就算你本机ping localhost也没反应。

2.抓包测试

问:禁ping之后服务器还能收到icmp请求吗?
答:可以收到,但是被服务器刻意忽略了,icmp协议不需要指定端口,防火墙端口配置对它无效。

sudo tcpdump icmp -vv
tcpdump: listening on eno1, link-type EN10MB (Ethernet), capture size 262144 bytes
10:42:32.489047 IP (tos 0x0, ttl 123, id 44113, offset 0, flags [none], proto ICMP (1), length 60)
    10.0.20.52 > insigma: ICMP echo request, id 1, seq 64, length 40
10:42:37.117354 IP (tos 0x0, ttl 123, id 44116, offset 0, flags [none], proto ICMP (1), length 60)
    10.0.20.52 > insigma: ICMP echo request, id 1, seq 65, length 40
10:42:42.121634 IP (tos 0x0, ttl 123, id 44118, offset 0, flags [none], proto ICMP (1), length 60)
    10.0.20.52 > insigma: ICMP echo request, id 1, seq 66, length 40
10:42:47.118525 IP (tos 0x0, ttl 123, id 44120, offset 0, flags [none], proto ICMP (1), length 60)
    10.0.20.52 > insigma: ICMP echo request, id 1, seq 67, length 40

看到了没有,只有进来的,没有出去的,正好印证了前面的禁ping指令ignore:忽略的意思,而不是杜绝的意思。

五、结合防火墙

前面说了ping使用的是icmp协议,它不用指定端口就能请求,这里我们采用的方法是ignore掉,然后给操作者制造了一个“假象”:目标服务器不在线,实际上还是可以通过扫端口来确定服务器是否在线的。这个以后有机会再说。


总结

1、禁ping改成忽略响应更合适些,只不过我们习惯这么叫了,也无所谓了。
2、如果有什么疑问或文中说的不对的地方可以留言(我会收到邮件)。
3、可以指正,拒绝谩骂!

风语者!平时喜欢研究各种技术,目前在从事后端开发工作,热爱生活、热爱工作。