What would cause my server to show UDP port scans coming from my VLAN IP?
-
I have multiple VLANs. One of them is on
192.168.40.1/24
. I have https://www.cipherdyne.org/psad/ installed on a server that is on this VLAN. As of right now this server is the only thing on this VLAN and the only traffic allowed to that VLAN is SSH from one of my other VLANs.I am getting a slew of alerts from PSAD telling me that it is getting a UDP port scans from
192.168.40.1
. I can't figure out why...Hundreds of emails like this, seconds apart:
=-=-=-=-=-=-=-=-=-=-=-= Fri Jan 1 21:49:40 2021 =-=-=-=-=-=-=-=-=-=-=-= Danger level: [3] (out of 5) Scanned UDP ports: [45343-48574: 4 packets, Nmap: -sU] iptables chain: INPUT (prefix "[IPTABLES]"), 4 packets Source: 192.168.40.1 DNS: [No reverse dns info available] Destination: 192.168.40.10 DNS: nook.local.lan Overall scan start: Thu Dec 31 22:09:35 2020 Total email alerts: 115 Complete UDP range: [68-60823] Syslog hostname: nook Global stats: chain: interface: protocol: packets: INPUT eno1 udp 630 [+] Whois Information (source IP): ...
How can I narrow down why these are happening?
-
@imthenachoman said in What would cause my server to show UDP port scans coming from my VLAN IP?:
How can I narrow down why these are happening?
By checking who can communicate with this VLAN ?
Example : remove all firewall and NAT rules, and the alerts stop. -
But, since the source is
192.168.40.1
, wouldn't the traffic be coming from pfSense itself, and not another device on my network?192.168.40.1
is the IP of the VLAN on my router. -
Yes, unless you have outbound NAT configured on that interface.
Check the state table for that states on that interface.
Steve