[strongSwan] How to block Netstat attacks from VPN users?

Houman houmie at gmail.com
Tue Jul 30 16:17:53 CEST 2019


Hello,

I had an interesting abuse notification that someone has run a
netstat through our VPN.

> time                protocol src_ip src_port          dest_ip dest_port
>
---------------------------------------------------------------------------
> Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>    172.20.10.17
21346
> Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>    172.20.10.19
21346

I was wondering if there is a good way to block all VPN users from running
hacker tools such as netstat (port scanning) altogether.  Is there a
reliable way to do that with iptables?

I came across this snippet that should block port scans, but I'm not sure
if that would block a VPN user after all since the VPN traffic is
masqueraded.

iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
--limit 1/s -j RETURN
iptables -A port-scan -j DROP --log-level 6
iptables -A specific-rule-set -p tcp --syn -j syn-flood
iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j
port-scan

Any suggestions, please?
Many Thanks,
Houman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190730/e7ab95d5/attachment.html>


More information about the Users mailing list