Preventing port scans...

[THEprophetMOSES]

I personally use BlackICEDefender from NetworkICE that stops many, if not all port scans. In ffact even now it has just warned me and bloked a SOCKS port scan.

You can get it from http://www.networkice.com i think. well worth it.

[pong]Frolic As The Llama Would[/pong]

[Tiger Shark]

Originally posted here by nebulus200
Another thing you can do is have a proxying firewall that answers for every port, every IP on your network. AT a minimum it will slow every scan to a crawl and on the up side, it will return every IP is up and every IP has every port open...completely useless to the scanner
/nebulus

Er..... Actually ports that answer usually speed up a scan, it's the ports that don't answer and therefore require retries after the preset reply timeout that really slow down scans hence any good scanner allows you to set the number of retries and the timeout between retries so you can make the scan more efficient or effective depending on other factors.

[ciscostuff]

Hallo,
a firewall can reject or deny Ports which shall be denied.

REJECT - reject forwarding of IP packet
DENY - simply ignore IP packet

If you want to stop the box from responding port scans you have to choose the deny method.
Then the connection to the ports will timeout. But you can not stop the portscan self because the portscanner can send thousand request simoustanly during waiting for response.
But whit Deny you stop the requests of legitimacy servers, for example the ident request of port 113. Therefore you will help spamer and scriptkiddies by choosing the deny method.
Reject will reject the request activly, and is as secure as deny.

Sorry for my bad english.

[R0n1n]

One thing to bear in mind regarding IDS is that a good 'port scanner' (as in whoever is doing the scan) will try to defeat the IDS so that it doesn`t raise an alert, the most common way being to run the port scan exceptionally slowly (i.e. paranoid mode on nmap). Most script kiddies won`t do this however as it can make the port scan take days, so you`ll catch most of them with an IDS and by checking your firewall logs.

As some of the other postings have said, whatever services you allow through the firewall (i.e. http on port 80) a port scan will detect these, as you cannot block Port 80 or you would not get any traffic on your web server, and the same applies to any other services you want to allow through.

You could set your applications (wherever possible) to use non standard ports, at least that way an attacker won`t instantly know what services you are running, although that isn`t practical for anything you want the public to access.

I think as long as you have decent security measures in place a port scan shouldn`t be something you worry too much about.

[R0n1n]

One thing to bear in mind regarding IDS is that a good 'port scanner' (as in whoever is doing the scan) will try to defeat the IDS so that it doesn`t raise an alert, the most common way being to run the port scan exceptionally slowly (i.e. paranoid mode on nmap). Most script kiddies won`t do this however as it can make the port scan take days, so you`ll catch most of them with an IDS and by checking your firewall logs.

As some of the other postings have said, whatever services you allow through the firewall (i.e. http on port 80) a port scan will detect these, as you cannot block Port 80 or you would not get any traffic on your web server, and the same applies to any other services you want to allow through.

You could set your applications (wherever possible) to use non standard ports, at least that way an attacker won`t instantly know what services you are running, although that isn`t practical for anything you want the public to access.

I think as long as you have decent security measures in place a port scan shouldn`t be something you worry too much about.