Menu
▾
▴
Re: [SSHGuard-users] Portscanners
|
From: Willem J. W. <wj...@di...> - 2016-05-04 08:15:21
|
On 4-5-2016 06:16, Kevin Zheng wrote: > On 05/03/2016 08:36, Jos Chrispijn wrote: >> Is there a way of blocking port scanners and treat them as false login? > > Yes, by adding these signatures and monitoring 'all.log'. But this > wouldn't stop these log messages from showing up, because the attackers > would still hit the firewall. It doesn't make sense to have a firewall > protecting the firewall. > >> May 3 17:24:18 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 >> x.x.x.x:28997 in via re0 >> May 3 17:24:26 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 >> x.x.x.x:11505 in via re0 >> May 3 17:24:31 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 >> x.x.x.x:21643 in via re0 >> May 3 17:24:33 ceto kernel: ipfw: 7300 Deny TCP 163.172.31.102:41712 >> x.x.x.x:28800 in via re0 > > I think this is beyond the scope of SSHGuard. SSHGuard protects against > service attacks, not port scans. The intent of SSHGuard is to use a > firewall to prevent rapid attacks against services (that takes up CPU > and memory resources). As a blunt tools I use portsentry. If you hit any of the ports normlly used with backdoors, p2p, ... all kinds of things I do not serve and do not want to be accessed. I'm using it in the same way as sshguard: ipfw table <nr of choice> add <ipnr> And then build a list of tables that are being blocked.... 01050 deny ip from table(10) to any 01060 deny ip from table(21) to any 01070 deny ip from table(22) to any 01080 deny ip from table(25) to any 01090 deny ip from table(26) to any 01100 deny ip from table(40) to any 01110 deny ip from table(41) to any 01120 deny ip from table(42) to any 01130 deny ip from table(43) to any 01140 deny ip from table(50) to any 01150 deny ip from table(53) to any 01160 deny ip from table(54) to any 01170 deny ip from table(55) to any 01180 deny ip from table(56) to any 01190 deny ip from table(57) to any 01200 deny ip from table(58) to any 01210 deny ip from table(59) to any 01220 deny ip from table(60) to any 01230 deny ip from table(70) to any 01240 deny ip from table(75) to any 01250 deny ip from table(80) to any 01260 deny ip from table(81) to any 01270 deny ip from table(86) to any --WjW |
