How to ban Syn Flood Attacks using Fail2Ban?

debian iptables firewall fail2ban syn
9,775

I came up with another solution for this and it seems to be working so far. Basically, I have written a filter that scans through the log and block all rogue IP addresses that has been dropped for various reasons in the given findtime. So this filter will block the IPs that has been dropped due to Syn, Xmas attacks, Port scan, etc. - whatever is listed in your iptables rules. In order words, it blocks the ones which keeps showing up in iptables block list for various reasons.

Jail.local

[iptables-dropped]

enabled = true
filter = iptables-dropped
banaction = iptables-allports
port = all
logpath = /var/log/messages
bantime = 1800
maxretry = 3

FILTER: iptables-dropped.conf

[Definition]
failregex = IPTables Dropped: .* SRC=<HOST>
ignoreregex =

Make sure you log the dropped IPs like this in the iptables rules so the above filter works:

# log iptables denied calls (access via 'dmesg' command) to /var/log/messages file
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 5/min -j LOG --log-prefix "IPTables Dropped: " --log-level 4
iptables -A LOGGING -j DROP

The above seems to work for me.

Share:
9,775

Related videos on Youtube

Neel
Author by

Neel

Updated on September 18, 2022

Comments

  • Neel
    Neel almost 2 years

    In my log, I am frequently seeing dropped ips like this:

    > Oct 30 17:32:24 IPTables Dropped: IN=eth0 OUT=
> MAC=04:01:2b:bd:b0:01:4c:96:14:ff:df:f0:08:00 SRC=62.210.94.116
> DST=128.199.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=45212
> PROTO=TCP SPT=51266 DPT=5900 WINDOW=1024 RES=0x00 SYN URGP=0
> 
> Oct 30 17:29:57 Debian kernel: [231590.140175] IPTables Dropped:
> IN=eth0 OUT= MAC=04:01:2b:bd:b0:01:4c:96:14:ff:ff:f0:08:00
> SRC=69.30.240.90 DST=128.199.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=245
> ID=12842 DF PROTO=TCP SPT=18534 DPT=8061 WINDOW=512 RES=0x00 SYN
> URGP=0

    From the above, I am assuming these are the Syn flood that are being dropped by my IpTables rules. This is what I have in iptables for Syn (although not sure which one of these rules are dropping the ones above):

    # Drop bogus TCP packets
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

# --- Common Attacks: Null packets, XMAS Packets and Syn-Flood Attack ---
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

    In Fail2ban, I dont see any specific filter for Syn attacks in filter.d folder. My question for this are:

    1) Do I just ignore the above logs and not worry about setting up a Fail2Ban filter for these since its internet and there is constantly going to be script kiddies doing these anyways?

    2) Since Fail2ban work based on iptables log, is there a way to ban the above Syn attempts on my server?

    This is my lame attempt on a filter and its not working. Not sure if its even valid:

    [Definition]
failregex = ^<HOST> -.*IPTables Dropped:.*SYN URGP=0
ignoreregex =

    I am using Debian + Nginx

    • kasperd
      kasperd over 9 years
      Whether something is a SYN flood or not doesn't depend on what the individual packets look like, rather it depends on how many SYN packets there are. A typical SYN flood would use a spoofed source IP, but by dropping the packets you have made it impossible for yourself to know if the source IP was spoofed or not. Only sending a reply back to the source IP and observing how it reacts will tell you, if the source was spoofed. If you do blacklist IPs based on packets that could have been spoofed, you are making yourself more vulnerable to DoS attacks.
  • NineCattoRules
    NineCattoRules over 8 years
    Instead, why you don't use the [recidive] rule in jail.conf?
  • IronEagle
    IronEagle about 3 years
    Some linux distributions no longer use /var/log/messages, look through the various files in /var/log to see which contains the "IPTables Dropped:" messages and use that instead. I ended up with logpath = /var/log/kern.log.
  • Dave M
    Dave M about 2 years
    This does not really answer the question. If you have a different question, you can ask it by clicking Ask Question. To get notified when this question gets new answers, you can follow this question. Once you have enough reputation, you can also add a bounty to draw more attention to this question. - From Review

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Iptable l7-filter installation guide and block p2p
Telnet: Unable to connect to remote host
force LAN hosts to go through proxy
Why is iptables command throwing errors?
Debian 10: How can I disable nftables and continue to use IPTables only?
Loading fail2ban rules to iptables using iptables-persistent
IPTables: How to log and set a specific log file
iptables port forwarding on debian
How do I find out where my IPTables rules are being stored?
Get Fail2Ban To Check findtime Every X Minutes