[strongSwan] How to block Netstat attacks from VPN users?

Houman houmie at gmail.com
Tue Jul 30 16:39:52 CEST 2019 

Sorry I mistyped. I meant  Netscan.

The abuse message was saying: *NetscanOutLevel: Netscan detected from
xx.xx.xx.xx*

This is possible though, that VPN users run a netscan and scan the ports.
Am I correct?

Thanks,

On Tue, 30 Jul 2019 at 15:30, Thor Simon <Thor.Simon at twosigma.com> wrote:

> I don't think netstat does what you think it does.  It is a _local_ tool.
> Perhaps the "abuse notification" you received is a phishing attack?
>
> Hae a look at the manual page:
>
> http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html
>
> ________________________________
> From: Houman <houmie at gmail.com>
> Sent: Jul 30, 2019 10:18 AM
> To: users at lists.strongswan.org
> Subject: [strongSwan] How to block Netstat attacks from VPN users?
>
> Hello,
>
> I had an interesting abuse notification that someone has run a netstat
> through our VPN.
>
> > time                protocol src_ip src_port          dest_ip dest_port
> >
> ---------------------------------------------------------------------------
> > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>    172.20.10.17
> 21346
> > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>    172.20.10.19
> 21346
>
> I was wondering if there is a good way to block all VPN users from running
> hacker tools such as netstat (port scanning) altogether.  Is there a
> reliable way to do that with iptables?
>
> I came across this snippet that should block port scans, but I'm not sure
> if that would block a VPN user after all since the VPN traffic is
> masqueraded.
>
> iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
> --limit 1/s -j RETURN
> iptables -A port-scan -j DROP --log-level 6
> iptables -A specific-rule-set -p tcp --syn -j syn-flood
> iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j
> port-scan
>
> Any suggestions, please?
> Many Thanks,
> Houman
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190730/e8ca0338/attachment.html>

More information about the Users mailing list