Portal Home > Knowledgebase > Articles Database > Port scans: Under attack!
Port scans: Under attack!
| Posted by gpl24, 01-10-2011, 03:01 PM |
| Since the start of the weekend I have been experiencing a port scan attack. Whereas I used to receive only about 5 a day, I am now receiving upwards of 5 per minute. I am astounded at the fact my server is even standing right now.
I have CSF firewall enabled and it seems to be thwarting them. However, because they are so persistent I am worried they'll get in.
They are not coming from any certain region; it's really scattered all over the world. I have tried reporting them to abuse@.. and blocking repeats at server-level permanently.
Is there anything else I can do to get rid of them?
|
| Posted by TheHostGenie, 01-10-2011, 05:14 PM |
| Not really. Change your SSH port and make sure software is up to date (including CSF - I believe an update was released today), make sure passwords are very strong.
|
| Posted by plumsauce, 01-10-2011, 06:08 PM |
| My office router gets more than that and it's running in full stealth mode. You won't get rid of them until they get tired of it. They'll get tired of it when they don't get in.
|
| Posted by jiqiren, 01-10-2011, 08:39 PM |
| I run denyhosts on all my servers. Typically just that alone will add 5 or so new IP addresses to my banned list every day.
I used to report the scans to their providers abuse email account, but I never get results / responses.
|
| Posted by steven_elvisda, 01-11-2011, 10:11 AM |
| 1. did you clean all IP in permanent list yet?
2. if you clean all please restart CSF once.
this is my idea.
|
| Posted by raffo, 01-12-2011, 08:01 AM |
| Change all standard port and change all information of version in all public service.
So if someone make a very slow port scan can't see your really software you use. Also inf you change TCP info you can obfuscate the version of your OS
|
| Posted by REMX, 01-12-2011, 10:12 AM |
| Are they sourced from a few or numerous IP addresses? If you are able to, report the IP addresses to the assigned authority. You can find their details from using a website such as: http://tools.whois.net/whoisbyip/
I can understand a long list can be painfully long and you may not have the time to contact them but in the long run it may help prevent these muppets from returning.
It's just a suggestion if all else fails or the culprit(s) return.
|
| Posted by raffo, 01-12-2011, 10:22 AM |
| Why report port scan? why doing too much work for nothing while can stop and obfuscate our trace by configuring our software properly?
Before doing anything report must know how analysis the network and then, make a stats of the most active IP and report to the ISP only if you are able to send the messages of the violation, not just the IP. In this case your request can be consider.
|
| Posted by nonmal, 01-14-2011, 04:25 AM |
| Deyhosts +1 , fail2ban might also be very helpful in this case
|
| Posted by raffo, 01-14-2011, 07:55 AM |
| Deyhosts is only for SSH.
Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
So can't be very useful anymore..
To block a portscan the only way is to count each IP how many port use in the server in x time.
If an IP send packets for 10 ports in 1 minute can be a portscan.. then will be blocked.
|
| Posted by Forward Web, 01-14-2011, 07:13 PM |
| I suggest reporting as many IP's to the appropriate abuse departments. Some will act, some wont, however its still better than just sitting around, hoping they dont get in. In addition, make sure you have all the proper security features in place (just having your firewall up, is often times not enough).
Change your passwords, update your SSH port..ect.
|
| Posted by CityNick, 01-15-2011, 04:06 AM |
| I like hardware firewalls. I like and recommend the Juniper Security Products specifically the SRX series. You can pick up an SRX100 for 300 bucks off ebay. You can have the security appliance ban the ips after one scan for a particular amount of time. It doesn't matter if the number of ips it will keep banning each one for longer and longer amounts of time after each attempt. They also protect against DDOS attacks. I've heard that the Watchgaurd hardware firewalls are good also. But you've got to watch the ongoing subscription pricing that some vendors may charge for signatures. Which is why I like Juniper.
|
| Posted by raffo, 01-15-2011, 08:36 AM |
| Hardware Firewall is the best way to filter and block TCP/UDP level..
But it cost a lot of money..
|
Add to Favourites 
Print this Article
Also Read
