| 1 |
On Wed, 2 Jun 2004, Martin Hajduch wrote: |
| 2 |
|
| 3 |
> you can also use inetd/xinetd |
| 4 |
> |
| 5 |
> for inetd you add line like this: |
| 6 |
> 1521 stream tcp nowait nobody /bin/echo /bin/echo "It worked" |
| 7 |
> to /etc/inetd.conf |
| 8 |
> |
| 9 |
> and then send SIGHUP to inetd process |
| 10 |
> |
| 11 |
> with xinetd it is similar, just you a add a new file with different syntax |
| 12 |
> |
| 13 |
> this is permanent (works until you remove that line and let inetd to |
| 14 |
> reread its configuration), so it is a quite good method how can you (for |
| 15 |
> example) disable ping for certain server, but still have a way how to |
| 16 |
> 'ping' it using telnet (available everywhere) for support people, etc ... |
| 17 |
> |
| 18 |
> there are reasons for disabling ping (icmp in general) because of security |
| 19 |
> |
| 20 |
|
| 21 |
Having to install xinetd/inetd is a bit more overhead than I was looking |
| 22 |
for, whereas most of the servers have the usual tools installed, telnet, |
| 23 |
nc, tcpdump, lsof, sysstat, etc. |
| 24 |
|
| 25 |
Without starting a flamewar, breaking ping is always annoying and adds |
| 26 |
little if any security. I'm fine with rate limiting icmp or filtering icmp |
| 27 |
fragments completely and think those are decent practices. Doing much more |
| 28 |
than that is causing more problems than you're solving IMHO. |
| 29 |
|
| 30 |
kashani |
Archives