Dealing with portscans

David Allen the.real.david.allen at
Mon Sep 22 20:06:12 UTC 2008

On 9/22/08, Greg Larkin <glarkin at> wrote:
> David Allen wrote:
>> Over the last few weeks I've been getting numerous ports scans, each from
>> unique hosts.  The situation is more of an annoyance than anything else,
>> but I would prefer not seeing or having to deal with an extra 20-30K
>> entries in my logs as was the case recently.
>> I use pf for firewalling, and while it does offer different methods
>> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it
>> doesn't seem to offer much in the way of dealing with repeated blocked
>> (non-stateful) connection attempts from a given host.
>> Short of running something like snort, is there a suitable tool for
>> dealing with this?  If not, I'll probably resort to running a cronjob to
>> parse the logfile and add the offending hosts manually.
> Hi David,
> You might want to try security/portsentry from the ports tree.  It's a
> bit dated, and it has no maintainer at the moment, but a cursory glance
> at it tells me it might work for you.  It supports pf for blocking
> connections once your trigger conditions are met.

I'll give it a try.

FWIW, I did discover that parsing the log files to get a list of
offending hosts (denied a number of times above a given certain
threshold) wasn't really as slow or troublesome as I thought.  That
slightly hackish approach might be useful for port scans in addition
to the various rubbish I get sent.

Thanks to both you and Jeff Laine for the replies.

More information about the freebsd-questions mailing list