Home / server / Questions / 640873
Accepted
Neel
Asked: 2014-10-31 05:39:32 +0800 CST

How to ban Syn Flood Attacks using Fail2Ban?

  • 772

In my log, I am frequently seeing dropped ips like this:

> Oct 30 17:32:24 IPTables Dropped: IN=eth0 OUT=
> MAC=04:01:2b:bd:b0:01:4c:96:14:ff:df:f0:08:00 SRC=62.210.94.116
> DST=128.199.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=45212
> PROTO=TCP SPT=51266 DPT=5900 WINDOW=1024 RES=0x00 SYN URGP=0
> 
> Oct 30 17:29:57 Debian kernel: [231590.140175] IPTables Dropped:
> IN=eth0 OUT= MAC=04:01:2b:bd:b0:01:4c:96:14:ff:ff:f0:08:00
> SRC=69.30.240.90 DST=128.199.xxx.xxx LEN=40 TOS=0x00 PREC=0x00 TTL=245
> ID=12842 DF PROTO=TCP SPT=18534 DPT=8061 WINDOW=512 RES=0x00 SYN
> URGP=0

From the above, I am assuming these are the Syn flood that are being dropped by my IpTables rules. This is what I have in iptables for Syn (although not sure which one of these rules are dropping the ones above):

# Drop bogus TCP packets
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

# --- Common Attacks: Null packets, XMAS Packets and Syn-Flood Attack ---
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

In Fail2ban, I dont see any specific filter for Syn attacks in filter.d folder. My question for this are:

1) Do I just ignore the above logs and not worry about setting up a Fail2Ban filter for these since its internet and there is constantly going to be script kiddies doing these anyways?

2) Since Fail2ban work based on iptables log, is there a way to ban the above Syn attempts on my server?

This is my lame attempt on a filter and its not working. Not sure if its even valid:

[Definition]
failregex = ^<HOST> -.*IPTables Dropped:.*SYN URGP=0
ignoreregex =

I am using Debian + Nginx

debian

3 Answers

  1. Best Answer

    I came up with another solution for this and it seems to be working so far. Basically, I have written a filter that scans through the log and block all rogue IP addresses that has been dropped for various reasons in the given findtime. So this filter will block the IPs that has been dropped due to Syn, Xmas attacks, Port scan, etc. - whatever is listed in your iptables rules. In order words, it blocks the ones which keeps showing up in iptables block list for various reasons.

    Jail.local

    [iptables-dropped]

enabled = true
filter = iptables-dropped
banaction = iptables-allports
port = all
logpath = /var/log/messages
bantime = 1800
maxretry = 3

    FILTER: iptables-dropped.conf

    [Definition]
failregex = IPTables Dropped: .* SRC=<HOST>
ignoreregex =

    Make sure you log the dropped IPs like this in the iptables rules so the above filter works:

    # log iptables denied calls (access via 'dmesg' command) to /var/log/messages file
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 5/min -j LOG --log-prefix "IPTables Dropped: " --log-level 4
iptables -A LOGGING -j DROP

    The above seems to work for me.

    • 5

  2. Super fail2ban filter!! It works like a charm. Thanks a lot!

    Anyway, I recommend to edit the fail2ban filter modifying the regex in this way:

    failregex = ^%(__prefix_line)slost connection after .*\[<HOST>\]$
            ^%(__prefix_line)stoo many errors after .*\[<HOST>\]$
    • 0

  3. Can you please give me a little hand? How can I use a SYN filter by having installed nftables instead of iptables?

    • -1