Block Ports enumeration
-
Hi
Is there any method to stop responding to port scan , if someone try to check if the port is open ,?? without using IDS/IPS
Thank you
-
This is already the default behaviour. pfSense WAN blocks unsolicited incoming traffic instead of rejecting it.
Are you having an issue or seeing something strange?
-
Thank you for your replay
I have some ports open ( NAT to Internal Server) , by doing scan using nmap I can see the all the information ( web version , ssh version ,..).I know that in some Firewall even the port is open , you get get answer by doing telnet on port or scan using tools like nmap.
-
So you open ports but don't want people to connect to them. Got it.
Your only hope is probably IDS/IPS.
-
Lock your ports open to only the ips you want to use these forwards if your worried about some one finding them open ;)
Or use say something like pfblocker to block all the "bad" country IPs that you don't want to be able to scan your ports..
-
@Derelict yes you got it , I opened some ports and I need if someone scan or telnet one of those ports , he get not response.I tried both SNORT and SURICATA , but I still get the response .
@johnpoz, How to lock the port with the IPs?
-
On your forward where it says source network.. But in the network/IP you want to use this port forward. If more than one create an alias put in the IPs or Netblocks you want to be able to use this port forward..
-
It's exactly what I did , I forward the port to my internal server.But what I'm asking for is how to block port scan and not respond to any request , For example I have a port 80 open and I need if someone do telnet xx.xx.xx.xx 80 get nothing ,or if he use software scan.Is that possible with pfsense?, I know that most of firewall like stonesoft, juniper … do that natively
-
That is pfsense out of the box!! If you scan a port with your telnet example and the port is not forward and allowed for the IP its coming from they will get back NOTHING..
If I forward port 80 only if your coming from 1.2.3.4, and you are hitting it from 5.6.7.8 you will get back NOTHING…
"I know that most of firewall like stonesoft, juniper ... do that natively"
Not sure where you got this from?? If you scan a port that is forwarded you will get a response.. On ANY firewall.. If you do not forward any thing or allow anything out of the box you will get NOTHING back from pfsense... Go to grc.com shields up for example..
Pfsense is not the one answering anything a forward - the box you forwarded too is the one answering... So lets say you forward 80 to 192.168.1.100, you could setup something on that box to not answer 80 unless you did a port knock on it, etc
edit: Here maybe this will help... So you see I forward ports 32400, and 32401 for plex access. But I have it locked down to only the source networks that are in my plexaccess alias.. So when scanned from outside those show as "stealth" <rolleyes> Ie no answer came back from those ports when coming from an IP that is not allowed per the forward and firewall rule. Because the scanning IP was not in the allowed IP/networks.. There is no answer.
But if I come from one of those IPs - then its open.. See plex how it shows that its available - because I allow the netblock their check comes from and my 2 son's specific IPs.. So you can go direct to my plex server from the internet or you can do an indirect stream, etc..
See the alias listing of netblocks.. If your coming from any other IP - the grc scan then you will not get any sort of answer..
</rolleyes>
-
Hi ,
Thank you very much , I appreciate your help .
Maybe as @Derelict said the only way to prevent ports scan is to use IPS/IDS , in your opinion who is the best between SNORT and SURICATA?
-
Yes a ips can block a port scan if happens fast enough, but if its a slow scan and or they hit your port that you have forwarded first they are going to see it open.
How many ports do you have open?
-
not too many , at max 10 ports
