On Tue, 2003-10-21 at 11:47, James Miller wrote: > > Nessus is always alerting on "Remote host does not discard TCP SYN packets > which have the FIN flag set". What is the best way to close up this hole? One of the nice things you get with iptables over many commercial offerings is the flexibility to deal with stuff like this. ;-) > something like '-p tcp --tcp-flags SYN,FIN -j DROP' Here is what I do: iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,ACK -j LOG --log-prefix " SYNACK " iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,ACK -j REJECT --reject-with icmp-host-unreachable iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,FIN -j LOG --log-prefix " SYNFINSCAN " iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL SYN,FIN -j REJECT --reject-with icmp-host-unreachable iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN -j LOG --log-prefix " FINSCAN " iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN -j REJECT --reject-with icmp-host-unreachable iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL NONE -j LOG --log-prefix " NULLSCAN " iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL NONE -j REJECT --reject-with icmp-host-unreachable iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN,PSH,URG -j LOG --log-prefix " NMAPXMAS " iptables -A FORWARD -i eth0 -p tcp --tcp-flags ALL FIN,PSH,URG -j REJECT --reject-with icmp-host-unreachable I prefix these traffic patterns to make them easier to parse out of the logs, and the reject the traffic with a host unreachable. I like using type 3's rather than drops as it confuses the scanner on the other end and many times shuts it down (ie. scanner gives up thing the host is not on-line). HTH, C
