5

In my log, I am frequently seeing dropped ips like this:

> Oct 30 17:32:24 IPTables Dropped: IN=eth0 OUT=
> MAC=04:01:2b:bd:b0:01:4c:96:14:ff:df:f0:08:00 SRC=62.210.94.116
> DST=128.199.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=45212
> PROTO=TCP SPT=51266 DPT=5900 WINDOW=1024 RES=0x00 SYN URGP=0
> 
> Oct 30 17:29:57 Debian kernel: [231590.140175] IPTables Dropped:
> IN=eth0 OUT= MAC=04:01:2b:bd:b0:01:4c:96:14:ff:ff:f0:08:00
> SRC=69.30.240.90 DST=128.199.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=245
> ID=12842 DF PROTO=TCP SPT=18534 DPT=8061 WINDOW=512 RES=0x00 SYN
> URGP=0

From the above, I am assuming these are the Syn flood that are being dropped by my IpTables rules. This is what I have in iptables for Syn (although not sure which one of these rules are dropping the ones above):

# Drop bogus TCP packets
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

# --- Common Attacks: Null packets, XMAS Packets and Syn-Flood Attack ---
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

In Fail2ban, I dont see any specific filter for Syn attacks in filter.d folder. My question for this are:

1) Do I just ignore the above logs and not worry about setting up a Fail2Ban filter for these since its internet and there is constantly going to be script kiddies doing these anyways?

2) Since Fail2ban work based on iptables log, is there a way to ban the above Syn attempts on my server?

This is my lame attempt on a filter and its not working. Not sure if its even valid:

[Definition]
failregex = ^<HOST> -.*IPTables Dropped:.*SYN URGP=0
ignoreregex =

I am using Debian + Nginx

Neel
  • 1,421
  • 7
  • 21
  • 35
  • 1
    Whether something is a SYN flood or not doesn't depend on what the individual packets look like, rather it depends on how many SYN packets there are. A typical SYN flood would use a spoofed source IP, but by dropping the packets you have made it impossible for yourself to know if the source IP was spoofed or not. Only sending a reply back to the source IP and observing how it reacts will tell you, if the source was spoofed. If you do blacklist IPs based on packets that could have been spoofed, you are making yourself more vulnerable to DoS attacks. – kasperd Dec 09 '14 at 18:41

3 Answers3

5

I came up with another solution for this and it seems to be working so far. Basically, I have written a filter that scans through the log and block all rogue IP addresses that has been dropped for various reasons in the given findtime. So this filter will block the IPs that has been dropped due to Syn, Xmas attacks, Port scan, etc. - whatever is listed in your iptables rules. In order words, it blocks the ones which keeps showing up in iptables block list for various reasons.

Jail.local

[iptables-dropped]

enabled = true
filter = iptables-dropped
banaction = iptables-allports
port = all
logpath = /var/log/messages
bantime = 1800
maxretry = 3

FILTER: iptables-dropped.conf

[Definition]
failregex = IPTables Dropped: .* SRC=<HOST>
ignoreregex =

Make sure you log the dropped IPs like this in the iptables rules so the above filter works:

# log iptables denied calls (access via 'dmesg' command) to /var/log/messages file
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 5/min -j LOG --log-prefix "IPTables Dropped: " --log-level 4
iptables -A LOGGING -j DROP

The above seems to work for me.

Kevin Worthington
  • 327
  • 2
  • 6
  • 19
Neel
  • 1,421
  • 7
  • 21
  • 35
  • Instead, why you don't use the `[recidive]` rule in `jail.conf`? – NineCattoRules Feb 27 '16 at 12:50
  • Some linux distributions no longer use /var/log/messages, look through the various files in /var/log to see which contains the "IPTables Dropped:" messages and use that instead. I ended up with `logpath = /var/log/kern.log`. – IronEagle May 01 '21 at 21:27
0

Super fail2ban filter!! It works like a charm. Thanks a lot!

Anyway, I recommend to edit the fail2ban filter modifying the regex in this way:

failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
            ^%(__prefix_line)stoo many errors after .*\[<HOST>\]$
kenlukas
  • 2,886
  • 2
  • 14
  • 25
-1

Can you please give me a little hand? How can I use a SYN filter by having installed nftables instead of iptables?

  • This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://serverfault.com/questions/ask). To get notified when this question gets new answers, you can [follow this question](https://meta.stackexchange.com/q/345661). Once you have enough [reputation](https://serverfault.com/help/whats-reputation), you can also [add a bounty](https://serverfault.com/help/privileges/set-bounties) to draw more attention to this question. - [From Review](/review/late-answers/517658) – Dave M Apr 10 '22 at 11:44