[strongSwan] How to block Netstat attacks from VPN users?
Thor Simon
Thor.Simon at twosigma.com
Tue Jul 30 16:30:43 CEST 2019
I don't think netstat does what you think it does. It is a _local_ tool. Perhaps the "abuse notification" you received is a phishing attack?
Hae a look at the manual page:
http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html
________________________________
From: Houman <houmie at gmail.com>
Sent: Jul 30, 2019 10:18 AM
To: users at lists.strongswan.org
Subject: [strongSwan] How to block Netstat attacks from VPN users?
Hello,
I had an interesting abuse notification that someone has run a netstat through our VPN.
> time protocol src_ip src_port dest_ip dest_port
> ---------------------------------------------------------------------------
> Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 => 172.20.10.17 21346
> Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 => 172.20.10.19 21346
I was wondering if there is a good way to block all VPN users from running hacker tools such as netstat (port scanning) altogether. Is there a reliable way to do that with iptables?
I came across this snippet that should block port scans, but I'm not sure if that would block a VPN user after all since the VPN traffic is masqueraded.
iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN
iptables -A port-scan -j DROP --log-level 6
iptables -A specific-rule-set -p tcp --syn -j syn-flood
iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan
Any suggestions, please?
Many Thanks,
Houman
More information about the Users
mailing list