i am trying to figure out how to achieve something am not sure is achievable and need help. I did my research but couldnt find credible information. Hope this question is not duplicate.
SET UP:
I am using iptables as my firewall to block malicious ip activity.
currently i am manually writing the entries in a file and then execute with iptables-restore < /etc/iptables/rules
.
Within those rules i have one that logs every inbound connection -A INPUT -m state --state NEW -j LOGALL
.
I have also set up apache to log ip that connect to the webpages. (different logs for each page, and different log file for iptables)
PROBLEM: I get numerous iptables logs of this kind:
Apr 4 14:52:18 kernel: [53326.219105] LOGALL IN=eth0 OUT= MAC=xxxxxxxxxxxx SRC=174.111.111.206 DST=192.168.1.5 LEN=44 TOS=0x00 PREC=0x00 TTL=244 ID=40132 PROTO=TCP SPT=179 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0
Apr 4 14:53:27 kernel: [53395.130551] LOGALL IN=eth0 OUT= MAC=xxxxxxxxxxxx SRC=45.146.164.211 DST=192.168.1.5 LEN=44 TOS=0x04 PREC=0x00 TTL=247 ID=26977 PROTO=TCP SPT=55172 DPT=443 WINDOW=1024 RES=0x00 SYN URGP=0
from thousands of different IPs per day.
I can tell from the LOG that they only send a SYN
packet.
I have used Wireshark to inspect the traffic and what i can tell is most dont answer after my server responds with SYN,ACK
54215 187.717006840 180.234.40.115 192.168.1.5 TCP 60 56412 ? 443 [SYN] Seq=0 Win=5840 Len=0 MSS=1460
54216 187.717251257 192.168.1.5 180.234.40.115 TCP 58 443 ? 56412 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460
54411 188.716638340 192.168.1.5 180.234.40.115 TCP 58 [TCP Retransmission] 443 ? 56412 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460
I have tried many differnt ways with iptables to limit those SYN
only packets. But those connections are not SYN floods attacks (i have limited SYN connections), but probably some crawlers and scans. I also tried https://inai.de/documents/Chaostables.pdf which gave me a lot of hope....but it didnt work or i cant get it to work.
I have also looked into fail2ban (havent used it yet), but since i write the entries to iptables myself and execute with iptables-restore < /etc/iptables/rules
, and failt2ban uses iptables too, i dont know how would both work together.
QUESTION:
Is it possible to block IPs that show up in iptables's LOG file but do NOT show in apache LOG files? (for me that would mean the IP did not come to my server to open the webpage, thus is doing smth else)
example: 1.1.1.1 IP opens my webpage, meaning there will be LOG in iptables and in apache. BUT if that 1.1.1.1 IP only sends SYN
packet to port 443, only iptables LOG will show that -> block that ip?
I hope i have been clear enough. Any help would be appreciated. Thank you