Dropping or blocking port scanning

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
MikroTik: https://wiki.mikrotik.com/wiki/Drop_port_scanners - https://monovm.com/blog/how-to-block-port-scanner-in-mikrotik/

PSAD: https://www.cipherdyne.org/LinuxFirewalls/ch05/ - https://n0where.net/port-scan-attack-detector-psad - https://manpages.ubuntu.com/manpages/precise/man8/psad.8.html - https://hackertarget.com/psad-port-scan-detection-in-ubuntu-linux/

Snort: https://www.hackingarticles.in/detect-nmap-scan-using-snort/ "Hence you can block this IP to protect your network from further scanning." - https://resources.infosecinstitute.com/snort-network-recon-techniques - https://stackoverflow.com/a/52421369 - SNORT IS GOOD SHIT MAN ;]

pfSense: https://www.agix.com.au/automatically-block-intruders-with-pfsense/ - https://turbofuture.com/internet/Ho...ck-List-and-Country-Block-Package-for-pfSense - http://infosecdc.blogspot.com/2019/03/blocking-port-scans-on-pfsense.html - importantly note that Suricata or Snort can a little better perform this.

Suricata: https://medium.com/@almog009/how-to-detect-hackers-port-scanning-in-less-than-50-bucks-40ff71a86aea

Security Onion: https://www.futurelearn.com/courses/network-security-basics/0/steps/46401 - https://www.giac.org/paper/gsec/379...ber-threat-intelligence-based-approach/149584 ("At this step, Security Onion once again alerts to the port scan and provides useful information to security analysts that may have to respond to the breach"){same: https://www.sans.org/reading-room/whitepapers/networksecurity/paper/38740 } - very thorough example of forwarding all traffic https://medium.com/@samuelabiodun/h...m-on-aws-using-open-source-tools-8b755e965d54

Zeek (formerly known as "Bro"): https://blog.rapid7.com/2017/06/24/how-to-install-and-configure-bro-on-ubuntu-linux/

Other helpful reading/watching:

These are a bunch of IDS-related tools to keep your system(s) safe from attackers, especially starting with the initial discovery of ports on your machines. Port scanning is usually a first step an attacker will take to find what services you have running, to then attack.
 

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
You can just use connlimit for your network. Also, you can use SYNPROXY to show the requests all the ports are open :)
You can use 10 connlimit per src ip /32 instead of using this.
These things affect the network very badly. Do not use these kinds of things on your networks.

For example(the rules must be in mangle post or filter post chains or can be under the synproxy.)
Code:
-p tcp --dport 80 -m connlimit --connlimit-above 10 -j DROP

or you can just open an ipset for example:
Code:
ipset create scanners hash:net

You can use the rule below:
Code:
-p tcp --dport 80 -m connlimit --connlimit-above 10 -j SET --add-set scanners src
then you can just drop the set by using the rule below;

Code:
iptables -A INPUT -m set --match-set scanners src -j DROP
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
You can just use connlimit for your network. Also, you can use SYNPROXY to show the requests all the ports are open
Do you use any visualization tools to see for example pie charts or otherwise graphing of data regarding port use, hosts, etc.
 
Top