Re: port scans (OT?)
On Fri, Dec 22, 2017 at 08:33:23PM +0000, Glenn English wrote:
> Debian Squeeze (?) very old anyway, Dell server, Juniper SSG5
> firewall. 1,000 miles away.
>
> I've started getting email from the firewall down there saying that it
> detected a port scan. Often enough of them to concern me -- several
> times a day.
>
> -- One just came in. Another 4 hours ago. From different IPs, from
> different (RIPE) countries. --
>
> Is there any way to stop them? AFAIK, there isn't. I sure can't think of a way.
>
> The 'JuniperUsers list' says to talk to my upstream ISP. But I don't
> see how that would help if they can't do anything either (they also
> use Juniper).
>
> The firewall blocks them after it sees 10 hits from the same IP in
> 5000 microseconds. But by then Nmap (or eq) has hit 10 ports.
>
> Am I overly paranoid here? What if a non-script-kiddie is also doing
> this, but slowly enough that the firewall doesn't detect it?
This is part of the background noise of the Internet.
What you can do:
- make sure your firewall only allows in new connections that
you actually want.
- rate limit new connections.
- run fail2ban or similar detect-and-block scanners on the
ports that you have open. In addition to the basic config,
I recommend a perma-ban list for IPs that hit you repeatedly
over long periods of time. And always keep your whitelist
up to date
- keep up to date with security related packages
-dsr-
Reply to: