In my log, I am frequently seeing dropped ips like this:
> Oct 30 17:32:24 IPTables Dropped: IN=eth0 OUT=
> MAC=04:01:2b:bd:b0:01:4c:96:14:ff:df:f0:08:00 SRC=62.210.94.116
> DST=128.199.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=45212
> PROTO=TCP SPT=51266 DPT=5900 WINDOW=1024 RES=0x00 SYN URGP=0
>
> Oct 30 17:29:57 Debian kernel: [231590.140175] IPTables Dropped:
> IN=eth0 OUT= MAC=04:01:2b:bd:b0:01:4c:96:14:ff:ff:f0:08:00
> SRC=69.30.240.90 DST=128.199.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=245
> ID=12842 DF PROTO=TCP SPT=18534 DPT=8061 WINDOW=512 RES=0x00 SYN
> URGP=0
From the above, I am assuming these are the Syn flood that are being dropped by my IpTables rules. This is what I have in iptables for Syn (although not sure which one of these rules are dropping the ones above):
# Drop bogus TCP packets
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
# --- Common Attacks: Null packets, XMAS Packets and Syn-Flood Attack ---
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
In Fail2ban, I dont see any specific filter for Syn attacks in filter.d
folder. My question for this are:
1) Do I just ignore the above logs and not worry about setting up a Fail2Ban filter for these since its internet and there is constantly going to be script kiddies doing these anyways?
2) Since Fail2ban work based on iptables log, is there a way to ban the above Syn attempts on my server?
This is my lame attempt on a filter and its not working. Not sure if its even valid:
[Definition]
failregex = ^<HOST> -.*IPTables Dropped:.*SYN URGP=0
ignoreregex =
I am using Debian + Nginx