What would cause my server to show UDP port scans coming from my VLAN IP?

imthenachoman

I have multiple VLANs. One of them is on 192.168.40.1/24. I have https://www.cipherdyne.org/psad/ installed on a server that is on this VLAN. As of right now this server is the only thing on this VLAN and the only traffic allowed to that VLAN is SSH from one of my other VLANs.

I am getting a slew of alerts from PSAD telling me that it is getting a UDP port scans from 192.168.40.1. I can't figure out why...

Hundreds of emails like this, seconds apart:

=-=-=-=-=-=-=-=-=-=-=-= Fri Jan  1 21:49:40 2021 =-=-=-=-=-=-=-=-=-=-=-=


         Danger level: [3] (out of 5)

    Scanned UDP ports: [45343-48574: 4 packets, Nmap: -sU]
       iptables chain: INPUT (prefix "[IPTABLES]"), 4 packets

               Source: 192.168.40.1
                  DNS: [No reverse dns info available]

          Destination: 192.168.40.10
                  DNS: nook.local.lan

   Overall scan start: Thu Dec 31 22:09:35 2020
   Total email alerts: 115
   Complete UDP range: [68-60823]
      Syslog hostname: nook

         Global stats:
                       chain:   interface:  protocol:  packets: 
                       INPUT    eno1        udp        630       

[+] Whois Information (source IP):

...

How can I narrow down why these are happening?

Gertjan

@imthenachoman said in What would cause my server to show UDP port scans coming from my VLAN IP?:

How can I narrow down why these are happening?

By checking who can communicate with this VLAN ?
Example : remove all firewall and NAT rules, and the alerts stop.

imthenachoman

@gertjan

But, since the source is 192.168.40.1, wouldn't the traffic be coming from pfSense itself, and not another device on my network? 192.168.40.1 is the IP of the VLAN on my router.

stephenw10

Yes, unless you have outbound NAT configured on that interface.

Check the state table for that states on that interface.

Steve