[strongSwan] How to block Netstat attacks from VPN users?

Houman houmie at gmail.com
Mon Oct 14 09:44:49 CEST 2019 

Hello Noel,

Thanks for your solution, I just tried it:

iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
--hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT

But I got this error message:

iptables v1.6.1: hashlimit: option "--hashlimit-name" must be specified

I googled and added the missing name like this:

iptables -I FORWARD 2 -m conntrack --ctstate NEW -m hashlimit
--hashlimit-name NETSCAN --hashlimit-mode srcip --hashlimit-srcmask 32
--hashlimit-upto 5/s -j ACCEPT

Do you agree with this approach to prevent VPN users from running Netscans?

Many Thanks,
Houman


On Wed, 31 Jul 2019 at 14:51, Noel Kuntze <noel.kuntze at thermi.consulting>
wrote:

> Hello Houman,
>
> A "netscan" attack isn't actually anything worthy of an abuse email.
> It's not part of a benign usage pattern of a VPN service, but it itself
> isn't illegal or anything.
> You can only slow down such scans by rate limiting the number of new
> connections using the hashlimit match module, for example.
>
> E.g. -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-mode
> srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT
>
> Kind regards
>
> Noel
>
> Am 30.07.19 um 16:39 schrieb Houman:
> > Sorry I mistyped. I meant  Netscan.
> >
> > The abuse message was saying: *NetscanOutLevel: Netscan detected from
> xx.xx.xx.xx*
> >
> > This is possible though, that VPN users run a netscan and scan the
> ports. Am I correct?
> >
> > Thanks,
> >
> > On Tue, 30 Jul 2019 at 15:30, Thor Simon <Thor.Simon at twosigma.com
> <mailto:Thor.Simon at twosigma.com>> wrote:
> >
> >     I don't think netstat does what you think it does.  It is a _local_
> tool.  Perhaps the "abuse notification" you received is a phishing attack?
> >
> >     Hae a look at the manual page:
> >
> >     http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html
> >
> >     ________________________________
> >     From: Houman <houmie at gmail.com <mailto:houmie at gmail.com>>
> >     Sent: Jul 30, 2019 10:18 AM
> >     To: users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> >     Subject: [strongSwan] How to block Netstat attacks from VPN users?
> >
> >     Hello,
> >
> >     I had an interesting abuse notification that someone has run a
> netstat through our VPN.
> >
> >     > time                protocol src_ip src_port          dest_ip
> dest_port
> >     >
> ---------------------------------------------------------------------------
> >     > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>
> 172.20.10.17 21346
> >     > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>
> 172.20.10.19 21346
> >
> >     I was wondering if there is a good way to block all VPN users from
> running hacker tools such as netstat (port scanning) altogether.  Is there
> a reliable way to do that with iptables?
> >
> >     I came across this snippet that should block port scans, but I'm not
> sure if that would block a VPN user after all since the VPN traffic is
> masqueraded.
> >
> >     iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
> limit --limit 1/s -j RETURN
> >     iptables -A port-scan -j DROP --log-level 6
> >     iptables -A specific-rule-set -p tcp --syn -j syn-flood
> >     iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST
> -j port-scan
> >
> >     Any suggestions, please?
> >     Many Thanks,
> >     Houman
> >
> >
> >
>
> --
> Noel Kuntze
> IT security consultant
>
> GPG Key ID: 0x0739AD6C
> Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191014/766784b6/attachment.html>

More information about the Users mailing list