ConfigServer Community Forum

I'm using Logwatch and have noticed a bunch of logs coming in for ICMP.

For example:

iptables firewall
Listed by source hosts:
Logged 1760 packets on interface eth0
From 3.87.248.151 - 1 packet to icmp(8)
From 3.231.165.178 - 2 packets to icmp(8)
From 3.236.183.212 - 2 packets to icmp(8)
From 3.236.184.164 - 3 packets to icmp(8)
From 3.237.184.3 - 1 packet to icmp(8)
From 3.238.39.131 - 1 packet to icmp(8)
From 3.238.62.31 - 1 packet to icmp(8)

I thought this was controlled at Port Scan Tracking -> PS_PORTS by removing the ...,ICMP but I'm still getting these in the logs.

I don't see any other places where this might be set. I even tried adding ICMP to Logging Settings -> DROP_NOLOG but this doesn't accept ICMP as a "port".

I am in the process of migrating servers and my old server doesn't show the ICMP packets in the logs, so I know it's a setting I'm missing, I just don't know which one.

Suggestions?

I may have answered my own question.

I had ICMP_IN_RATE = 1/s

I have changed this to 5/s

I did a quick test of setting ICMP_IN_RATE = .1/s, then running I got a handful of blocks in a very short period with it set to .1/s. I'm guessing the 1/s is too narrow of a window for a single IP. For example, if you were to open two windows and run ping to the host, you're technically getting more than 1/s from that IP. If a "hacker" is trying to run the ping faster than 1 second (maybe for quick responses, maybe to test ICMP DDOS flooding) then this would cause it to block and log. Maybe someone smarter than me can correct my thinking?

I'll run 5/s for now and see where it gets me.

Update: It worked for a while (2 years), then started flooding the logs again...

Raising the rate to 30/s in hopes it will reduce the log clutter.

@devs: It would be nice if there were an option in the settings to disable these logs unless a certain threshold has been hit. Since ICMP isn't a port, it can't be added to DROP_NOLOG