• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Outgoing Portscans - ntopng?

Scheduled Pinned Locked Moved Traffic Monitoring
8 Posts 3 Posters 623 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    StealthNet
    last edited by 23 days ago

    Re: ntopng sshguard

    Hi there!

    I came across this old post tryibng to figure out why my pfsense firewall is doing outbound portscans.

    At first I thought the host was compromised so I reinstalled pfsense from scratch.

    Then the "scans" started again (portscans to internet networks from my wan ip).

    It seems that ntop is trying to "discover" networks on the wan side, but it is configured to be only on the lan interface.

    Outbound network scans only stopped when I disabled the network discovery feature.

    Does any1 noticed such behavior as well?

    D 1 Reply Last reply 23 days ago Reply Quote 0
    • D
      dennypage @StealthNet
      last edited by 23 days ago

      @StealthNet You have Network Discovery enabled in ntopng. Turn it off. It's in Settings / Preferences / Network Discovery / Active Network Discovery. This option should never be enabled on pfSense. Ditto for Active Monitoring.

      M 1 Reply Last reply 23 days ago Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @dennypage
        last edited by 23 days ago

        @dennypage said in Outgoing Portscans - ntopng?:

        This option should never be enabled on pfSense. Ditto for Active Monitoring.

        Hey @dennypage
        Can you update the package to not expose those options and only enable with Advanced configuration? Alternatively, place a warning in the ntop options GUI?

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        D 1 Reply Last reply 23 days ago Reply Quote 0
        • D
          dennypage @michmoor
          last edited by dennypage 22 days ago 23 days ago

          @michmoor said in Outgoing Portscans - ntopng?:

          Can you update the package to not expose those options and only enable with Advanced configuration? Alternatively, place a warning in the ntop options GUI?

          Yea, unfortunately there's no good way to disable internal ntopng options externally. If there were, I would have done so. The closest I could come was to go into the redis db at random times (like via cron) and reset the enable variable. I don't like this approach because it comes as a surprise to the user -- they turn it on, and some seemingly random amount of time later it gets magically turned off. Comes off like something is broken.

          As to a warning, if you are referring to the ntopng GUI itself, there's no way for me to display anything in there. If you're referring to the pfSense package GUI, I could do that, and maybe I should, but I believe most people would either ignore or simply forget about it after they first install the package.

          M 1 Reply Last reply 23 days ago Reply Quote 0
          • M
            michmoor LAYER 8 Rebel Alliance @dennypage
            last edited by michmoor 23 days ago 23 days ago

            @dennypage said in Outgoing Portscans - ntopng?:

            If you're referring to the pfSense package GUI,

            that's exactly where I was thinking :)

            You can never stop users from doing stupid things. The best anyone can do is give a warning.
            Folks still open ports on the WAN for ssh to their pfsense..... cant stop bad habits

            Firewall: NetGate,Palo Alto-VM,Juniper SRX
            Routing: Juniper, Arista, Cisco
            Switching: Juniper, Arista, Cisco
            Wireless: Unifi, Aruba IAP
            JNCIP,CCNP Enterprise

            D 1 Reply Last reply 22 days ago Reply Quote 0
            • D
              dennypage @michmoor
              last edited by 22 days ago

              @michmoor said in Outgoing Portscans - ntopng?:

              You can never stop users from doing stupid things. The best anyone can do is give a warning.
              Folks still open ports on the WAN for ssh to their pfsense..... cant stop bad habits

              Fair.

              S 1 Reply Last reply 22 days ago Reply Quote 0
              • S
                StealthNet @dennypage
                last edited by StealthNet 22 days ago 22 days ago

                @dennypage @michmoor For me, this is an interesting thread.

                I did my fair share of network / host / datacenter administration back in the 90s, but now I am just curious about pfsense to the point where I am moving from an apartment to a new house and building a new networking infrastructure based on it and a couple of managed switches and APs to expand a home automation hobby.

                I didn´t know a thing about ntop or pfsense a month ago and I asked a honest question, trying to learn more about it.

                Maybe that was my mistake: using something with access to the internet without knowing enough details about it (although I knew it was supposed to be closed by default, not open).

                Bu hey, I am not protecting CIA.

                OTOH, I am using CE and installing a package that came with it.

                I configured ntop explicitly informing which network is local.

                Tbh I never thought a default package would do some kind of outbound network discovery based on class C scanning of internet hosts.

                I don´t think this is ok.

                I think this is considered nowadays offensive behavior and imho no package with default config should scan internet hosts and blame a new user that didn´t know that much.

                You might say: but you enabled network discovery.

                Yes, I did.

                I thought that it wouldn´t start scanning the entire internet because I said to it where my local network was.

                My mistake.

                Either way, I don´t think that should be considered a "stupid" thing from someone with bad habits.

                So please, give a warning.

                Thanks for the support.

                D 1 Reply Last reply 21 days ago Reply Quote 2
                • D
                  dennypage @StealthNet
                  last edited by 21 days ago

                  @StealthNet said in Outgoing Portscans - ntopng?:

                  Tbh I never thought a default package would do some kind of outbound network discovery based on class C scanning of internet hosts.

                  I don´t think this is ok.

                  I agree. I was rather shocked when I discovered this while diagnosing the same issue with another pfSense user who happens to be a close friend of min. He had also enabled it because ntopng's description made it sound like a good thing.

                  Anyway, I appreciate your, and others, input on this. I believe I will add a set of warning to the next version of the package, to at least have put forth the information/warning.

                  Thank you.

                  1 Reply Last reply Reply Quote 1
                  7 out of 8
                  • First post
                    7/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received