Dealing with portscans
the.real.david.allen at gmail.com
Mon Sep 22 20:06:12 UTC 2008
On 9/22/08, Greg Larkin <glarkin at freebsd.org> wrote:
> David Allen wrote:
>> Over the last few weeks I've been getting numerous ports scans, each from
>> unique hosts. The situation is more of an annoyance than anything else,
>> but I would prefer not seeing or having to deal with an extra 20-30K
>> entries in my logs as was the case recently.
>> I use pf for firewalling, and while it does offer different methods
>> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it
>> doesn't seem to offer much in the way of dealing with repeated blocked
>> (non-stateful) connection attempts from a given host.
>> Short of running something like snort, is there a suitable tool for
>> dealing with this? If not, I'll probably resort to running a cronjob to
>> parse the logfile and add the offending hosts manually.
> Hi David,
> You might want to try security/portsentry from the ports tree. It's a
> bit dated, and it has no maintainer at the moment, but a cursory glance
> at it tells me it might work for you. It supports pf for blocking
> connections once your trigger conditions are met.
I'll give it a try.
FWIW, I did discover that parsing the log files to get a list of
offending hosts (denied a number of times above a given certain
threshold) wasn't really as slow or troublesome as I thought. That
slightly hackish approach might be useful for port scans in addition
to the various rubbish I get sent.
Thanks to both you and Jeff Laine for the replies.
More information about the freebsd-questions