Re: [strongSwan] How to block Netstat attacks from VPN users?
Sorry I mistyped. I meant Netscan. The abuse message was saying: *NetscanOutLevel: Netscan detected from xx.xx.xx.xx* This is possible though, that VPN users run a netscan and scan the ports. Am I correct? Thanks, On Tue, 30 Jul 2019 at 15:30, Thor Simon wrote: > I don't think netstat does what you think it does. It is a _local_ tool. > Perhaps the "abuse notification" you received is a phishing attack? > > Hae a look at the manual page: > > http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html > > > From: Houman > Sent: Jul 30, 2019 10:18 AM > To: users@lists.strongswan.org > Subject: [strongSwan] How to block Netstat attacks from VPN users? > > Hello, > > I had an interesting abuse notification that someone has run a netstat > through our VPN. > > > timeprotocol src_ip src_port dest_ip dest_port > > > --- > > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.17 > 21346 > > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.19 > 21346 > > I was wondering if there is a good way to block all VPN users from running > hacker tools such as netstat (port scanning) altogether. Is there a > reliable way to do that with iptables? > > I came across this snippet that should block port scans, but I'm not sure > if that would block a VPN user after all since the VPN traffic is > masqueraded. > > iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit > --limit 1/s -j RETURN > iptables -A port-scan -j DROP --log-level 6 > iptables -A specific-rule-set -p tcp --syn -j syn-flood > iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j > port-scan > > Any suggestions, please? > Many Thanks, > Houman > > > >
Re: [strongSwan] How to block Netstat attacks from VPN users?
I don't think netstat does what you think it does. It is a _local_ tool. Perhaps the "abuse notification" you received is a phishing attack? Hae a look at the manual page: http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html From: Houman Sent: Jul 30, 2019 10:18 AM To: users@lists.strongswan.org Subject: [strongSwan] How to block Netstat attacks from VPN users? Hello, I had an interesting abuse notification that someone has run a netstat through our VPN. > timeprotocol src_ip src_port dest_ip dest_port > --- > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.17 21346 > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.19 21346 I was wondering if there is a good way to block all VPN users from running hacker tools such as netstat (port scanning) altogether. Is there a reliable way to do that with iptables? I came across this snippet that should block port scans, but I'm not sure if that would block a VPN user after all since the VPN traffic is masqueraded. iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN iptables -A port-scan -j DROP --log-level 6 iptables -A specific-rule-set -p tcp --syn -j syn-flood iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan Any suggestions, please? Many Thanks, Houman
[strongSwan] How to block Netstat attacks from VPN users?
Hello, I had an interesting abuse notification that someone has run a netstat through our VPN. > timeprotocol src_ip src_port dest_ip dest_port > --- > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.17 21346 > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 =>172.20.10.19 21346 I was wondering if there is a good way to block all VPN users from running hacker tools such as netstat (port scanning) altogether. Is there a reliable way to do that with iptables? I came across this snippet that should block port scans, but I'm not sure if that would block a VPN user after all since the VPN traffic is masqueraded. iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j RETURN iptables -A port-scan -j DROP --log-level 6 iptables -A specific-rule-set -p tcp --syn -j syn-flood iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j port-scan Any suggestions, please? Many Thanks, Houman
