Velvet Star Monitor

Standout celebrity highlights with iconic style.

news

Blacklisting port-scanner via iptables

Writer Sophia Terry

I operate a VPN server and am having issues with DDoS attackers port-scanning my VPN for open ports to flood. I need a rule that will blacklist them after they have contacted X ports in Y seconds, so if they DO find one of my open ports, the server will not reply to them.

All the other rules I have tried have done one or more of the following:

Forced the VPN to send RST packets instead of dropping traffic to ports that have no services (I drop packets instead of refusing so port-scans take longer)
Did not correctly blacklist them from accessing my open ports
Added my open ports to the list of ports that will cause an IP to get blacklisted (I do NOT want the ports hosting services to have ANY chance of adding an IP to the blacklist. I do, however, want these ports to DROP traffic to BLACKLISTED IPs only)

Example of solution: 1.1.1.1 is the attacker and 2.2.2.2 is my server. 2.2.2.2 has port 777 open

1.1.1.1 -> 2.2.2.2:1 # dropped because i dont have a service on this port
1.1.1.1 -> 2.2.2.2:13 # dropped because i dont have a service on this port
1.1.1.1 -> 2.2.2.2:60 # dropped because i dont have a service on this port
1.1.1.1 -> 2.2.2.2:14 # dropped because i dont have a service on this port
1.1.1.1 -> 2.2.2.2:11 # dropped because i dont have a service on this port
1.1.1.1 -> 2.2.2.2:17 # THIS will trigger the blacklist system, blocking ALL from 1.1.1.1 for 1 hour


1.1.1.1 -> 2.2.2.2:777 # dropped because blacklist, regardless of the port being open

1 Answer

Figured it out by myself. These are the rules that work best for me:
iptables -N LOGPSCAN iptables -A LOGPSCAN -p tcp --syn -m limit --limit 2000/hour -j RETURN iptables -A LOGPSCAN -m limit --limit 200/hour -j LOG --log-prefix "DROPPED Port scan: " iptables -A LOGPSCAN -j DROP iptables -A INPUT -p tcp --syn -j LOGPSCAN

Because there is no reason (in my circumstance) for a single host to send SYN to 200 ports in one hour, we can stop replying to SYN from any host violating this policy for the rest of the hour :D

Note: You may have to increase or decrease the threshold depending on how many services your server is hosting.

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Similar Journal

View All

How does 3 tick fishing work?

May 2026

Tetra Master: What are the full rules?

May 2026

Do lure modules and incense cause new pokemon to spawn near you, or existing pokemon to be drawn to you?

May 2026

What is the strongest fixed location equipment you can obtain at Level 1?

May 2026