Security Issue - ICMP Timestamp Request/Reply

5 posts / 0 new
Last post
#1 Tue, 03/27/2007 - 10:54

Security Issue - ICMP Timestamp Request/Reply

When I scan my server with the Tenable Nessus Vulnerability Scanner ( ), I am cautioned that ICMP Timestamp Request/Reply are not blocked. How concerned should I be? Do I really need to block them? What do you reckon?

Output from the Nessus Vulnerability Scanner:

"It is possible to determine the exact time set on the remote host.

Description : The remote host answers to an ICMP timestamp request. This allows an attacker to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols."

Thu, 03/29/2007 - 00:30

Nobody has any concern over this one?

ICMP Timestamp Reply Vulnerability
Host Impact: An attacker can flood the internal network.

Thu, 03/29/2007 - 10:47

It may be that some people don't understand the issue, or they don't see it as a problem related to Virtualmin. This is something that should normally be configured on your firewall or addressed by your service provider. However, if you are running iptables on your host system and want to block it there, you can do this with the Webmin Linux Firewalls module. There are options there to block timestamp-request and timestamp-reply packets.

Thu, 03/29/2007 - 13:36

Thanks, Alan.

> you can do this with the Webmin Linux Firewalls module

Yes, I already did that. However, when I scan my server again with Tenable Nessus Vulnerability Scanner, it still reports that "It is possible to determine the exact time set on the remote host...." *scratch head*

I set Webmin Linux Firewalls to REJECT. Should I use DROP instead?

Sat, 03/31/2007 - 07:33

I've just begun to delve into some of the security aspects. I see an awfully lot of people try to relay through my mail server, and I see a lot of people try to FTP in using accounts that don't exist. While I'm getting used to the fact that the entire world can get at my machine, I am helped by the fact taht I am the only person running sites upon the machine at present time. I can block a lot of thigns that I would not normally be able to block.

I've figured out how to set up the firewall to only allow ftp to my own IP addresses, and I've blocked a lot of relayers. I probably don't have to block the relayers because they're being rejected anyway, but I like to keep them from potentially hitting me in other ways as well.

To get closer to your topic: I use Drop instead of Reject. I have not confirmed what they do, but my perception is that Reject will send a note back to people saying they are doing something wrong. I feel that if I simply Drop them, then I give them fewer clues as to what actually occurred.

If my perception on this is wrong, then somebody please correct me.

Topic locked