Can still ping IP even though only 1 droplet allowed via SSH

Question

Hi,

I have 2 droplets, one containing my DB and one my app.

The DB droplet i have UFW installed allowing only the IP of the droplet of my app however when I ping the IP from my laptop it returns data.

Is this supposed to be - I would have expected it to not do that?

Only my app droplet should have access to that DB droplet - absolutely nothing else.

Thanks.

Jonathan Tittle · Answer

@psmod2 You’ll need to edit /etc/ufw/before.rules and modify two lines – in both cases, we’re replacing ACCEPT with DROP. #01 -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT to -A ufw-before-input -p icmp --icmp-type echo-request -j DROP #02 -A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT to -A ufw-before-forward -p icmp --icmp-type echo-request -j DROP … and then run sudo ufw disable && sudo ufw enable. You can also edit /etc/sysctl.conf and drop in: net.ipv4.icmp_echo_ignore_all=1 … then run sudo sysctl -p to load the changes. Once these changes have been made, you should see something similar to: Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2 Request timeout for icmp_seq 3

psmod2 · Answer

Thanks - so as a security precaution is something commonly followed? (I only randomly thought about it).

Also - is there anything else I should also implement in addition to my UFW? Setting up fail2ban later today as well?

Related

Question

Can still ping IP even though only 1 droplet allowed via SSH

Related