Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
...
iptables -N bad_tcp
iptables -A bad_tcp -j LOG --log-level DEBUG --log-prefix "NO SYN -- DROP: "
iptables -A bad_tcp -j DROP
iptables -N tcp_chain
iptables -A tcp_chain -p tcp ! --syn -m state --state NEW -j bad_tcp
iptables -A tcp_chain -p tcp -m tcp --syn -m multiport --dports 443,80,53 -j ACCEPT
iptables -A tcp_chain -p tcp -m tcp --syn --dport 22 -j ssh_chain
iptables -A tcp_chain -j LOG --log-level DEBUG --log-prefix "DROP -- TCP: "
iptables -A tcp_chain -j DROP
...
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
...
iptables -A INPUT -p tcp -j tcp_chain
iptables -A INPUT -p udp -j udp_chain
iptables -A INPUT -p icmp -j icmp_chain
The machine is a busy web server, and such packets appear regularly. Besides the ACK/FIN packets (as above), I've also seen ACK/RST, RST, and ACK packets which have been similarly logged.
The thing I'm trying to figure out is how the packet made it so far down the rules.
The packets cannot be any of NEW, ESTABLISHED, or RELATED -- if they
were either of the last two, they would be accepted; and if they were NEW, then since they're not SYN, they would be rejected by an earlier rule. So, this leads me to think that all such packets are INVALID.
not really sure what extra detail you're after, but unless there's some obscene load on the box or the network elsewhere which could be causing packets to go awol, then yes they look dubious... are you maybe seeing retransmissions get through? does the packet match a live connection at that time? not too sure the best way to find that... sounds painful unless you've somethign predictable or identifiable to narrow it down to.
oh i think i see the question now... why do packets reach that "DROP" log as opposed to the earlier "NO SYN"? that "NO SYN" rule won't ever match as "NEW" = syn, so p match of not a syn but a new packet will never occur.
Thanks for all your responses. To address some of your questions, the source IP address of those packets correspond to addresses requesting web pages around that time. It appears that certain clients continue to send packets for as long as 10 minutes after requesting their last web page. The large number of these packets gave me a scare, but I feel better after reading this. According to the data there, 10% of clients are faulty.
MSIE, MSIE, ...
Actually how did they really determine that the client is faulty ? It would be good to go on with analysis.
Quote:
"NEW" = syn
I'm not using iptables so I'm not sure of the terminology but are you sure this is the case?
If I send a syn/ack or fin/ack as the first packet, will it be NEW? I guess yes? And --syn means SYN&&!FIN&&!RST&!ACK so that's a bit different.
And then if I'm correct, the rule !syn should match new packets wich are without syn or with any other flag up.
Actually how did they really determine that the client is faulty ?
Not sure about that, but something's going on. In less than 4.5 days, I have more than 13,700 packets logged with "DROP -- TCP: " and destined for port 80.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.