Hello Houman, A "netscan" attack isn't actually anything worthy of an abuse email. It's not part of a benign usage pattern of a VPN service, but it itself isn't illegal or anything. You can only slow down such scans by rate limiting the number of new connections using the hashlimit match module, for example.
E.g. -A FORWARD -m conntrack --ctstate NEW -m hashlimit --hashlimit-mode srcip --hashlimit-srcmask 32 --hashlimit-upto 5/s -j ACCEPT Kind regards Noel Am 30.07.19 um 16:39 schrieb Houman: > Sorry I mistyped. I meant Netscan. > > The abuse message was saying: *NetscanOutLevel: Netscan detected from > xx.xx.xx.xx* > > This is possible though, that VPN users run a netscan and scan the ports. Am > I correct? > > Thanks, > > On Tue, 30 Jul 2019 at 15:30, Thor Simon <thor.si...@twosigma.com > <mailto:thor.si...@twosigma.com>> wrote: > > I don't think netstat does what you think it does. It is a _local_ tool. > Perhaps the "abuse notification" you received is a phishing attack? > > Hae a look at the manual page: > > http://manpages.ubuntu.com/manpages/trusty/man8/netstat.8.html > > ________________________________ > From: Houman <hou...@gmail.com <mailto:hou...@gmail.com>> > Sent: Jul 30, 2019 10:18 AM > To: users@lists.strongswan.org <mailto:users@lists.strongswan.org> > Subject: [strongSwan] How to block Netstat attacks from VPN users? > > Hello, > > I had an interesting abuse notification that someone has run a netstat > through our VPN. > > > time protocol src_ip src_port dest_ip dest_port > > > --------------------------------------------------------------------------- > > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 => 172.20.10.17 > 21346 > > Tue Jul 30 13:38:01 2019 UDP 136.243.xxx.xxx 21346 => 172.20.10.19 > 21346 > > I was wondering if there is a good way to block all VPN users from > running hacker tools such as netstat (port scanning) altogether. Is there a > reliable way to do that with iptables? > > I came across this snippet that should block port scans, but I'm not sure > if that would block a VPN user after all since the VPN traffic is masqueraded. > > iptables -A port-scan -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit > --limit 1/s -j RETURN > iptables -A port-scan -j DROP --log-level 6 > iptables -A specific-rule-set -p tcp --syn -j syn-flood > iptables -A specific-rule-set -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j > port-scan > > Any suggestions, please? > Many Thanks, > Houman > > > -- Noel Kuntze IT security consultant GPG Key ID: 0x0739AD6C Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C
signature.asc
Description: OpenPGP digital signature