2

i am trying to figure out how to achieve something am not sure is achievable and need help. I did my research but couldnt find credible information. Hope this question is not duplicate.

SET UP: I am using iptables as my firewall to block malicious ip activity. currently i am manually writing the entries in a file and then execute with iptables-restore < /etc/iptables/rules. Within those rules i have one that logs every inbound connection -A INPUT -m state --state NEW -j LOGALL. I have also set up apache to log ip that connect to the webpages. (different logs for each page, and different log file for iptables)

PROBLEM: I get numerous iptables logs of this kind:

Apr  4 14:52:18 kernel: [53326.219105] LOGALL IN=eth0 OUT= MAC=xxxxxxxxxxxx SRC=174.111.111.206 DST=192.168.1.5 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=40132 PROTO=TCP SPT=179 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 
Apr  4 14:53:27 kernel: [53395.130551] LOGALL IN=eth0 OUT= MAC=xxxxxxxxxxxx  SRC=45.146.164.211 DST=192.168.1.5 LEN=44 TOS=0x04 PREC=0x00 TTL=247 ID=26977 PROTO=TCP SPT=55172 DPT=443 WINDOW=1024 RES=0x00 SYN URGP=0

from thousands of different IPs per day. I can tell from the LOG that they only send a SYN packet. I have used Wireshark to inspect the traffic and what i can tell is most dont answer after my server responds with SYN,ACK

54215   187.717006840   180.234.40.115  192.168.1.5 TCP 60  56412 ? 443 [SYN] Seq=0 Win=5840 Len=0 MSS=1460
54216   187.717251257   192.168.1.5 180.234.40.115  TCP 58  443 ? 56412 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460
54411   188.716638340   192.168.1.5 180.234.40.115  TCP 58  [TCP Retransmission] 443 ? 56412 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460

I have tried many differnt ways with iptables to limit those SYN only packets. But those connections are not SYN floods attacks (i have limited SYN connections), but probably some crawlers and scans. I also tried https://inai.de/documents/Chaostables.pdf which gave me a lot of hope....but it didnt work or i cant get it to work.

I have also looked into fail2ban (havent used it yet), but since i write the entries to iptables myself and execute with iptables-restore < /etc/iptables/rules, and failt2ban uses iptables too, i dont know how would both work together.

QUESTION: Is it possible to block IPs that show up in iptables's LOG file but do NOT show in apache LOG files? (for me that would mean the IP did not come to my server to open the webpage, thus is doing smth else) example: 1.1.1.1 IP opens my webpage, meaning there will be LOG in iptables and in apache. BUT if that 1.1.1.1 IP only sends SYN packet to port 443, only iptables LOG will show that -> block that ip?

I hope i have been clear enough. Any help would be appreciated. Thank you

baboon
  • 21
  • 4
  • Are these SYN packets causing problems in your system? Do you expect that the overhead of logging SYN packets and blocking IPs is less than just letting kernel handle timing out of the connection attempts? – Tero Kilkanen Apr 04 '21 at 21:04
  • @TeroKilkanen At the moment, to my knowledge, they are not causing any problem. I have done what the internet suggests to limit the connections and all, but those 2 questions have been in the back of my head for some time, and was wondering if its possible. – baboon Apr 04 '21 at 21:29
  • I would propose the following - if the packets aren't producing a verifiable issue for your system, you're wasting more time trying to figure out how to "deal with them" than is really necessary. You won't always have 100% good only connections, and we live in an imperfect world. Surely there is something else that could be a better use of your time. If it's something else, have you considered that maybe you have an [XY problem](https://xyproblem.info/) going on? – tilleyc Apr 04 '21 at 21:38
  • @tilleyc that article is good. I get it yes, possible, but the second question about fail2ban is not that much xy problem. – baboon Apr 04 '21 at 21:55
  • @tilleyc I deleted the first question (good article) hah – baboon Apr 04 '21 at 22:08

1 Answers1

3

since i write the entries to iptables myself and execute with iptables-restore < /etc/iptables/rules, and failt2ban uses iptables too, i dont know how would both work together.

You can:

  1. either use --noflush option with iptables-restore to avoid removal of fail2ban (and other rules), and filter f2b-* chains by iptables-save.
  2. or switch to nftables (since fail2ban support this action) and it can target the tables by dump and restore separately, so they would not remove or overwrite fail2ban chains.
sebres
  • 940
  • 1
  • 5
  • 6