Can still ping IP even though only 1 droplet allowed via SSH

Question

Hi,

I have 2 droplets, one containing my DB and one my app.

The DB droplet i have UFW installed allowing only the IP of the droplet of my app however when I ping the IP from my laptop it returns data.

Is this supposed to be - I would have expected it to not do that?

Only my app droplet should have access to that DB droplet - absolutely nothing else.

Thanks.

Answer 1

jtittle1 February 4, 2017

You’ll need to edit /etc/ufw/before.rules and modify two lines – in both cases, we’re replacing ACCEPT with DROP.

#01

-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

to

-A ufw-before-input -p icmp --icmp-type echo-request -j DROP

#02

-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

to

-A ufw-before-forward -p icmp --icmp-type echo-request -j DROP

… and then run sudo ufw disable && sudo ufw enable.

You can also edit /etc/sysctl.conf and drop in:

net.ipv4.icmp_echo_ignore_all=1

… then run sudo sysctl -p to load the changes.

Once these changes have been made, you should see something similar to:

Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3

Reply Report

Answer 2

psmod2 February 5, 2017

Thanks - so as a security precaution is something commonly followed? (I only randomly thought about it).

Also - is there anything else I should also implement in addition to my UFW? Setting up fail2ban later today as well?

Reply Report

Related