|
This message has popped up on the list a few times
over the years, but I can't find a definitive answer on the best solution for
it.
Fairly often - as in a few times an hour on a very,
very underused server - I get repeated RST packets from hosts I've recently been
talking to, but that conntrack thinks aren't part of a connection. My
rule:
iptables -A INPUT -p tcp ! --tcp-flags
FIN,SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "Stealth scan
attempt"
iptables -A INPUT -p tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP I then get multiple log entries like:
Mar 25 23:19:05 linux kernel: Stealth scan
attemptIN=eth0 OUT= MAC=00:50:2c:01:62:8e:00:20:78:d0:44:8f:08:00
SRC="" DST=192.168.1.150 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=6376
PROTO=TCP SPT=2046 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
with occasional, "related" (semantically, not
conntrack-ily) outbound traffic:
Mar 25 23:19:05 linux kernel: Rejected output by
default:IN= OUT=eth0 SRC="" DST=208.185.179.12 LEN=100 TOS=0x00
PREC=0x00 TTL=64 ID=58139 DF PROTO=TCP SPT=25 DPT=2046 WINDOW=9216 RES=0x00 ACK
PSH FIN URGP=0
Obviously these aren't genuine scans. Is
there any rule I could use that would let the RST do whatever it's trying to do
and gracefully close down the connection instead of logging it? I am
almost to the point of not bothering to log iptables output, since I'm not
entirely sure what I would do if I did see an attack anyway... but certainly,
right now, what's being logged is noise, and I'd like to improve my SNR.
Suggestions?
Jay Levitt
|
