Dealing with portscans
the.real.david.allen at gmail.com
Mon Sep 22 20:05:18 UTC 2008
On 9/22/08, Ghirai <ghirai at ghirai.com> wrote:
> On Mon, 22 Sep 2008 08:17:02 -0700
> "David Allen" <the.real.david.allen at gmail.com> wrote:
>> Over the last few weeks I've been getting numerous ports scans, each
>> from unique hosts. The situation is more of an annoyance than
>> anything else, but I would prefer not seeing or having to deal with
>> an extra 20-30K entries in my logs as was the case recently.
>> I use pf for firewalling, and while it does offer different methods
>> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive
>> hosts, it doesn't seem to offer much in the way of dealing with
>> repeated blocked (non-stateful) connection attempts from a given host.
>> Short of running something like snort, is there a suitable tool for
>> dealing with this? If not, I'll probably resort to running a cronjob
>> to parse the logfile and add the offending hosts manually.
> Add the abusive hosts to a table x, via max-src-conn, max-src-conn-rate,
> etc., then add near the top of your ruleset:
> block drop quick from <x>
You either didn't read my message or have misunderstood pf.
The features you (and I) mention apply only to rules which create
state. If your rules are written for port 22, 25, and 80 traffic,
for example, you can most certainly can make use of those features.
However, receiving SYN packets to ports 1024-40000 isn't going to
match anything than a default "block all" rule, which creates no
state. That gives you zero such features to work with, but does give
you 38976 individual log entries.
More information about the freebsd-questions