Dealing with portscans

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Sep 22 21:26:02 UTC 2008 

David Allen wrote:
> On 9/22/08, Ghirai <ghirai at ghirai.com> wrote:
>> On Mon, 22 Sep 2008 08:17:02 -0700
>> "David Allen" <the.real.david.allen at gmail.com> wrote:
>>
>>> Over the last few weeks I've been getting numerous ports scans, each
>>> from unique hosts.  The situation is more of an annoyance than
>>> anything else, but I would prefer not seeing or having to deal with
>>> an extra 20-30K entries in my logs as was the case recently.
>>>
>>> I use pf for firewalling, and while it does offer different methods
>>> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive
>>> hosts, it doesn't seem to offer much in the way of dealing with
>>> repeated blocked (non-stateful) connection attempts from a given host.
>>>
>>> Short of running something like snort, is there a suitable tool for
>>> dealing with this?  If not, I'll probably resort to running a cronjob
>>> to parse the logfile and add the offending hosts manually.
>> Add the abusive hosts to a table x, via max-src-conn, max-src-conn-rate,
>> etc., then add near the top of your ruleset:
>>
>> block drop quick from <x>
> 
> You either didn't read my message or have misunderstood pf.
> 
> The features you (and I) mention apply only to rules which create
> state.   If your rules are written for port 22, 25, and 80 traffic,
> for example, you can most certainly can make use of those features.
> 
> However, receiving SYN packets to ports 1024-40000 isn't going to
> match anything than a default "block all" rule, which creates no
> state.  That gives you zero such features to work with, but does give
> you 38976 individual log entries.

Most of this sort of port scanning is automated by infected machines
-- it doesn't indicate a directed attack at you.  it's been described as 
the 'background radiation of the Internet'.  So long as your systems
aren't vulnerable to the specific problems the malware is attempting to 
exploit -- and assuming you aren't running windows then you're almost 
certainly immune from this automated stuff -- then why bother putting any 
effort into blocking the source hosts?  Just dump the traffic and ignore.

Drop the traffic using a 'block log all' default action and 'set 
block-policy drop' in pf.conf.

Don't open up high-port ranges to incoming traffic, either UDP or TCP
-- if you have to run FTP servers then use ftp/ftp-proxy to avoid having
to open your firewall too much.  Also consider the following sysctls:

# Blackhole packets to ports without listeners
net.inet.tcp.blackhole=1
net.inet.udp.blackhole=1

although these will be redundant if your firewalling is effective.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080922/6e6e262f/signature.pgp

More information about the freebsd-questions mailing list