Can it protect against a port scan?

Hi can it protect against a port scan?


Yes you can protect against port scan with the iptables collection: CrowdSec Hub

If you use another firewall, you can make your own parser and scenario to detect portscan.

1 Like

it turns out you need to enable iptables logging? psad works like this, but when you have a large amount of data, the disk is not enough ((

Yes unfortunately that’s the only solution we have now, and I agree it’s not very suitable for bigger infrastructure. Do you have suggestions on how to achieve this in a more scalable way ?

I have a crowdsec bouncer running on my OpenWrt router. One of the things I always want when using a security device/system is to get some feedback.
For this I implemented my own chain that not only drops incomming connections that match the crowdsec ipset, but also puts them into another ipset so I can see what and how many ips have really been blocked.

I know of a few ways to implement a port scan detection with firewall rules only. Having those to fill up an ipset and then using this ipset as a source for detection rather than parsing a log might be a lightweight and flexible solution.

So kind of a ipset-parser …

it is possible based on traps like portsentry

if you have portsentry logs of attacks, I guess it should be quite trivial to create a parser/scenario for this :slight_smile:

I want to put 1 tool already and get a good result. What I liked about fail2ban is that porsentry is in jail.conf, it reduces time

Actually you can’t protect against port scans but you can act on a detected port scan. How to act depends on what you want to achieve.

  • Usually most routers don’t have open ports on wan side. Detecting port scans is just informal and won’t change anything.
  • If you run a service exposed to public (e.g. a web server), detecting a port scan might help you to block the scanner before it detects your open ports. This is a valid scenario. But usually attacks started on open services/ports use other source ip as origin than the port scanners. Blocking the port scanner’s ip won’t help. Also, besides port scanners there is a lot of creatures out there just trying to attack dedicated ports 80, 443, 22 … if you run an exposed service, you need to secure the service.
  • You might also want to act as a honeypot and share the detected port scanner’s ip with the Crowdsec community. :slight_smile:
  • If you want to detect port scans because you want to reduce load on the system (e.g. small home router), I suggest to use iptable/nftable rules with ipset to detect scans and block scanners right on.
    Tools like portsentry, fail2ban or crowdsec parsing logs do always put some extra load on the system.
  • You might also want to act as a honeypot and share the detected port scanner’s ip with the Crowdsec community. :slight_smile: - I will not participate as a bait but ready to share bad Ip , tell me how can this be done?

I’m willing to give advice but a bit more information is needed. :wink:

I believe you are a home user with a standard soho router connected to the internet. With a single ip and the router is doing nat.
I also believe you have at least one service (e.g. web server) accessible from the internet.

I also believe you want to run Crowdsec on the router? Is this correct?