Hi can it protect against a port scan?
Hello,
Yes you can protect against port scan with the iptables collection: CrowdSec Hub
If you use another firewall, you can make your own parser and scenario to detect portscan.
it turns out you need to enable iptables logging? psad works like this, but when you have a large amount of data, the disk is not enough ((
Yes unfortunately that’s the only solution we have now, and I agree it’s not very suitable for bigger infrastructure. Do you have suggestions on how to achieve this in a more scalable way ?
I have a crowdsec bouncer running on my OpenWrt router. One of the things I always want when using a security device/system is to get some feedback.
For this I implemented my own chain that not only drops incomming connections that match the crowdsec ipset, but also puts them into another ipset so I can see what and how many ips have really been blocked.
I know of a few ways to implement a port scan detection with firewall rules only. Having those to fill up an ipset and then using this ipset as a source for detection rather than parsing a log might be a lightweight and flexible solution.
So kind of a ipset-parser …
it is possible based on traps like portsentry
if you have portsentry logs of attacks, I guess it should be quite trivial to create a parser/scenario for this 
I want to put 1 tool already and get a good result. What I liked about fail2ban is that porsentry is in jail.conf, it reduces time
Actually you can’t protect against port scans but you can act on a detected port scan. How to act depends on what you want to achieve.
- Usually most routers don’t have open ports on wan side. Detecting port scans is just informal and won’t change anything.
- If you run a service exposed to public (e.g. a web server), detecting a port scan might help you to block the scanner before it detects your open ports. This is a valid scenario. But usually attacks started on open services/ports use other source ip as origin than the port scanners. Blocking the port scanner’s ip won’t help. Also, besides port scanners there is a lot of creatures out there just trying to attack dedicated ports 80, 443, 22 … if you run an exposed service, you need to secure the service.
- You might also want to act as a honeypot and share the detected port scanner’s ip with the Crowdsec community.
- If you want to detect port scans because you want to reduce load on the system (e.g. small home router), I suggest to use iptable/nftable rules with ipset to detect scans and block scanners right on.
Tools like portsentry, fail2ban or crowdsec parsing logs do always put some extra load on the system.
- You might also want to act as a honeypot and share the detected port scanner’s ip with the Crowdsec community. - I will not participate as a bait but ready to share bad Ip , tell me how can this be done?
I’m willing to give advice but a bit more information is needed. 
I believe you are a home user with a standard soho router connected to the internet. With a single ip and the router is doing nat.
I also believe you have at least one service (e.g. web server) accessible from the internet.
I also believe you want to run Crowdsec on the router? Is this correct?