# Port Scanner Detection and Banning



## zgasparian (Apr 3, 2022)

After a couple of years, I have started to use FreeBSD again. Previously I was using Linux, and in all my servers I have installed "PSAD" package, which detect the Port Scanners IP addresses and bans them through IPTabels rules.
I have searched the same in FreeBSD but does not exit. something exits as "scanlogd" but it does not ban the scanner IP address.Also used "portsentry" but not blocking nmap scans(tcp scans-only blocks udp scans).
Any suggestion, what can I use instead or any IPFW rule to detect and bans the scanners.

Thanks


----------



## im (Apr 4, 2022)

In my opinion, detecting and blocking portscans is a wrong way for most cases.
Very ofthen 'port scan detectors' has a lot of false-positive reactions.
Usually, port scans do nothing with your equipment.
But I prefer to limit amount of open ports on my hosts.
On servers, I try to jail() any external service. It can protect the host-system for some cases.


----------



## SirDice (Apr 4, 2022)

im said:


> Usually, port scans do nothing with your equipment.
> But I prefer to limit amount of open ports on my hosts.


Yeah, only open the ports you need and just ignore the port scanners. You're not going to stop them whatever you do.

Bruteforce scanners however clog up your logs, you can use security/sshguard (can do more than SSH alone), security/py-fail2ban or blacklistd(8) for those.


----------



## gpw928 (Apr 5, 2022)

There are many problems with banning port scanners.

For instance, my Internet connection is 3G cellular mobile data into a private enclave, operated by my ISP.  My IP address in that enclave today is 10.95.198.33.  As you can see, they are using a Class-A Private (RFC-1918) Network for clients.  That's against the rules...  Good luck prosecuting them...

All my traffic onto the Internet passes through the private enclave and is NAT'd on their externally facing router.  My Internet IP address is that of the router, 49.181.155.24

Now, there's a lot of script kiddies, and ne'er-do-wellers in the private enclave emerging to wreak havoc on the Internet from that same IP address.  Outcome is that almost everyone on the Internet thinks that I'm a criminal, based on IP address only.  No doubt, you would have me blacklisted.  Maybe you don't care about one person, but everyone in my country with a tablet connected to the same (major) ISP by a 3G cellular mobile service would have the same problem.

Depending on your circumstances, you may find security/knock useful.


----------



## Datapanic (Apr 5, 2022)

FreeBSD's pf() can be configured to block port scanners in real time, but that's not going to make them go away.  With pf, you can set it up so that any port scanner IP is added to a table and then you can use that table to block the IP any way you want.  You can then use pfctl() in a cron job to clean up the table after X amount of time.  

Of course, you must have pf working first, then it's a piece of cake to add in the anti scanner rules.


----------



## SWIFTYLIFT (May 15, 2022)

I agree with gpw928 - I appear to be under an ipv6 ban when I tried yo register at a top 500 site yesterday - not me specifically I just happen to under it and according to the additional info till 2023 since I’m too lazy or don’t care enough to send a message about my mobile carrier.  
 there’s always the fact scanners are indifferent to drop / reject and why not make a few ports accommodating and welcome em - time out and close (I like to think it’s a small part in clogging these things up even if it’s a tiny part).


----------



## Phishfry (May 15, 2022)

Datapanic said:


> With pf, you can set it up so that any port scanner IP is added to a table and then you can use that table to block the IP any way you want. You can then use pfctl() in a cron job to clean up the table after X amount of time.


Another method is pf and send to blacklistd(8)


----------



## getopt (May 15, 2022)

If you have *open ports* to the *Internet* then you should care about those listening ports. Protecting SSH has been discussed on our forums at length and else where. Another Problem are DDoS attacks on web servers where huge numbers of requests hit on a single open port (http, https).

On *closed ports* there is no service listening therefore there is nothing to do further. Reacting to that just adds load to your system for no effect. It makes little sense creating lists on what is blocked by default.

There is no attack surface on closed ports.


----------

