How to Disable ICMP Echo Replies (Ping Responses) on Fedora Server


2 views

The ICMP Echo protocol (commonly known as "ping") is a fundamental network diagnostic tool that operates at the Internet Control Message Protocol layer. While useful for troubleshooting, there are security and operational reasons why you might want to disable ping responses on a production server:

  • Reduce visibility to network scanners and potential attackers
  • Prevent ICMP flood DDoS attacks
  • Comply with specific security policies
  • Minimize unnecessary network traffic

The simplest way to disable ping responses is through the Linux kernel parameters. This method takes effect immediately but won't persist after reboot:

# Check current ping response setting
sysctl net.ipv4.icmp_echo_ignore_all

# Temporarily disable ping responses
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1

To make the change permanent across reboots, modify the sysctl configuration file:

# Open the sysctl configuration file
sudo nano /etc/sysctl.conf

# Add this line at the end of the file
net.ipv4.icmp_echo_ignore_all = 1

# Apply changes without reboot
sudo sysctl -p

Fedora's default firewall (firewalld) provides another way to block ICMP echo requests:

# Check current ICMP settings
sudo firewall-cmd --list-icmp-blocks

# Block echo-request permanently
sudo firewall-cmd --permanent --add-icmp-block=echo-request

# Reload firewall to apply changes
sudo firewall-cmd --reload

After applying any of these methods, verify the configuration:

# From another machine, try to ping the server
ping your.server.ip.address

# Should return "Request timed out" or similar
# On the server, check with:
sudo tcpdump -i eth0 icmp and icmp[icmptype]=icmp-echo

For more granular control, you can use iptables to block ICMP echo requests:

# Block incoming ping requests
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

# Save rules for persistence (if iptables-persistent is installed)
sudo iptables-save > /etc/iptables/rules.v4

Before disabling ping responses, consider these points:

  • Network monitoring tools may rely on ping
  • Some load balancers and HA solutions use ICMP for health checks
  • Disabling ping doesn't make your server "invisible" - port scans will still work
  • In enterprise environments, coordinate with network administrators

If you need to restore ping functionality:

# For sysctl method:
sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0

# For firewalld:
sudo firewall-cmd --permanent --remove-icmp-block=echo-request
sudo firewall-cmd --reload

# For iptables:
sudo iptables -D INPUT -p icmp --icmp-type echo-request -j DROP

The ICMP Echo protocol (commonly known as PING) is a fundamental network diagnostic tool, but in production environments, many administrators choose to disable responses for security hardening. When your server doesn't respond to ping requests, it becomes slightly less visible during network scans.

The most permanent solution involves modifying kernel network parameters. Add this line to /etc/sysctl.conf:

net.ipv4.icmp_echo_ignore_all = 1

Then apply the changes without reboot:

sudo sysctl -p

For Fedora's default firewall, run these commands:

sudo firewall-cmd --permanent --add-rich-rule='rule protocol value="icmp" drop'
sudo firewall-cmd --reload

For immediate but non-persistent changes:

echo 1 | sudo tee /proc/sys/net/ipv4/icmp_echo_ignore_all

After making changes, verify from another machine:

ping your.server.ip

Should return "Request timed out" or similar depending on the client OS.

For more granular control, consider these iptables rules:

sudo iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
sudo iptables-save > /etc/sysconfig/iptables

1. Some network monitoring systems rely on ICMP

2. Disabling ping may affect legitimate troubleshooting

3. Doesn't prevent all types of host discovery