3

From a Trustwave report, we are trying to set our server to block this type of request but after trying several combinations of rules, we can still see the ports.

Could anyone give me a hint or the set of necessary rules to block this request?

I'm using nmap --scanflags SYN,FIN xxx.xxx.xxx.xxx to test if iptables is blocking or not.

Chris S
  • 77,337
  • 11
  • 120
  • 212
shadow_of__soul
  • 376
  • 1
  • 6
  • 16

4 Answers4

3

This rule will match if the syn flag is set

iptables -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP

And this one will match for the FIN flag

iptables -A BLOCK -p tcp --tcp-flags SYN,ACK,FIN,RST FIN -j DROP

note that you will need to tweak this as the syn rule will prevent incoming tcp connections at all for your device, perhaps set the specific port you want blocked?

Spencer Rathbun
  • 320
  • 1
  • 3
  • 9
  • Check some rules on this [post too](http://volc-hara.blogspot.com/2008/03/iptables-anti-scan-tricks.html). – coredump Apr 26 '11 at 20:29
2

I use something to prevent this SYN attacks. Not sure if it is correct one for your case but you may take a look. I count requests per second and block IPs with more than X (in my case 20) requests in 1 second. Works for me.

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --set

iptables -I INPUT -p tcp --dport 80 -i eth0 -m state --state NEW -m recent --update --seconds 1 --hitcount 20 -j DROP
Blagomir
  • 306
  • 2
  • 4
1

Go check my Community Wiki: iptables Tips & Tricks

Especially the following "answer": Answer #245713

Please note that for the blockage to be effective, it must be placed in -t raw -A PREROUTING

Community
  • 1
pepoluan
  • 4,918
  • 3
  • 43
  • 71
0

There is a document entitled "Detecting and deceiving network scans" on the net, which goes into this with analytical detail, and finds the optimal blocking parameters.

dgq8
  • 21
  • 1