Question

Can still ping IP even though only 1 droplet allowed via SSH

Posted February 4, 2017 1.1k views
Security Ubuntu 16.04

Hi,

I have 2 droplets, one containing my DB and one my app.

The DB droplet i have UFW installed allowing only the IP of the droplet of my app however when I ping the IP from my laptop it returns data.

Is this supposed to be - I would have expected it to not do that?

Only my app droplet should have access to that DB droplet - absolutely nothing else.

Thanks.

Add a comment
psmod2
By:
psmod2
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

2 answers
jtittle1 February 4, 2017

@psmod2

You’ll need to edit /etc/ufw/before.rules and modify two lines – in both cases, we’re replacing ACCEPT with DROP.

#01

-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

to

-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

#02

-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

to

-A ufw-before-forward -p icmp --icmp-type echo-request -j DROP

… and then run sudo ufw disable && sudo ufw enable.

You can also edit /etc/sysctl.conf and drop in:

net.ipv4.icmp_echo_ignore_all=1

… then run sudo sysctl -p to load the changes.

Once these changes have been made, you should see something similar to:

Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Reply Report
psmod2 February 5, 2017

Thanks - so as a security precaution is something commonly followed? (I only randomly thought about it).

Also - is there anything else I should also implement in addition to my UFW? Setting up fail2ban later today as well?

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help