Preventing port scans...

[yanksfan]

Hello everyone,
Is there some way to setup a firewall to stop the box from responding to port scans? Does a port scanner actually initate each TCP connection like it would, say when you're connecting to a regular web page? If it doesn't, then is there some way to recognize that its a port scanner on the other side and stop the response??

[x acidreign x]

If I'm not mistaken pretty much any firewall will do exactly that... speaking of which you should really be running a firewall anyway. Any one is better than none.

[yanksfan]

I am running a firewall, but I'm talking about services. If I'm running a web server that's availble to the internet, won't a port scanner detect that as well?

[Wickdgin]

From what I have seen most comercial personal firewalls for Windows have rulesets built in to prevent port scanning.

Any good firewall that uses stateful packet filtering should be able to be configured to block port scanning.

Port scanners work in many different ways, Nmap's documentation gives a pretty good description on different portscan methods.

[Tedob1]

not really, if your running a web server and a scanner sends a request for a tcp connection to port 80, you server is going to respond. theres no way to stop that. thats why you better know how to secure your box if your going to run a server on the internet.

[SoggyBottom]

Tedob1 is right. When you think about it, a port scan is no different to a legitimate TCP connection. What is the difference between the following?

- Using a port scanner to scan machine x on port 80.
- Telnetting to machine x on port 80.
- Using a browser to access machine x on port 80.

Thats right, Nothing.

Any firewall configured correctly, wont "prevent" port scanning, but it will certainly drop packets that you havent specifically allowed through. (Thats what firewalls do!!)

Again, I whole heartedly agree with Tedob1, and think that it is crucially important to learn how to configure Firewall rules, harden machines before placing them in ANY public environment.

[t2k2]

I agree with Ted and Soggy - good points both of you. Ok, here's the thing, port scanners such as Nmap take advantage of the inherent "weaknesses" in the TCP/IP stack. For example, it is natural for a host's stack to reply to a SYN packet with an ACK, ...and so on and so forth. A scanner will look for the expected response to whatever type of scan it's doing in order to determine if the port in question is indeed open. I highly recommend reading up on Nmap as suggested since it comes with a "small" plethora of scan types to help probe a host. I hope this helps you understand. If you still need help, let us know. That's what AO is here for.

[RiOtEr]

http://www.psionic.com/products/

port sentry

it will detect port scans even stealth scans and do what you want with the ip
really easy to set up and pretty good in my eyes hope it helps
rioter

[slarty]

Have some sort of active IDS which installs realtime rules in the firewall banning IPs?

Maybe but this is not a very good idea because a malicious user who knows about it might IP spoof a genuine user's IP address and have them firewalled out for scanning.

Alternatively, have a firewall with a "fake ack" which responds positively to *any* TCP SYN. That way the scanner cannot tell which ports are open and which merely have a phanton syn ack on them (assuming the initial serial number choosing algorithm it uses is the same as the host's own OS)

That won't stop "full connect" scans, but it will fool syn scans and greatly slow down true connect scans (because the host scanning will wait for the third part of the TCP setup, which will never arrive)

I have no idea what programs / products have these features but I believe a few do.

Oh yes, and if you use a fake ack make sure the scan packets never reach the host OS or its RSTs will give the game away

[nebulus200]

There are a couple of things I would recommend, one has already been mentioned:

psionic portsentry. Set it up to return tons of bogus information, it will not only detect the port scans, but you can set it up to then automatically block that IP (be careful, or you might block yourself). If it returns too much bogus information, the scan is useless.

Another thing you can do is have a proxying firewall that answers for every port, every IP on your network. AT a minimum it will slow every scan to a crawl and on the up side, it will return every IP is up and every IP has every port open...completely useless to the scanner Of course it is a royal pain in the rear to do that and get it working right, but much more of a pain to the person scanning you (and you might want to just do it for well known ports and deny rest)

Either way, tons of garbage information will taint the results, possibly so bad that they move on...

/nebulus