Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outgoing Portscans - ntopng?

    Scheduled Pinned Locked Moved Traffic Monitoring
    8 Posts 3 Posters 171 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      StealthNet
      last edited by

      Re: ntopng sshguard

      Hi there!

      I came across this old post tryibng to figure out why my pfsense firewall is doing outbound portscans.

      At first I thought the host was compromised so I reinstalled pfsense from scratch.

      Then the "scans" started again (portscans to internet networks from my wan ip).

      It seems that ntop is trying to "discover" networks on the wan side, but it is configured to be only on the lan interface.

      Outbound network scans only stopped when I disabled the network discovery feature.

      Does any1 noticed such behavior as well?

      dennypageD 1 Reply Last reply Reply Quote 0
      • dennypageD
        dennypage @StealthNet
        last edited by

        @StealthNet You have Network Discovery enabled in ntopng. Turn it off. It's in Settings / Preferences / Network Discovery / Active Network Discovery. This option should never be enabled on pfSense. Ditto for Active Monitoring.

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @dennypage
          last edited by

          @dennypage said in Outgoing Portscans - ntopng?:

          This option should never be enabled on pfSense. Ditto for Active Monitoring.

          Hey @dennypage
          Can you update the package to not expose those options and only enable with Advanced configuration? Alternatively, place a warning in the ntop options GUI?

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          dennypageD 1 Reply Last reply Reply Quote 0
          • dennypageD
            dennypage @michmoor
            last edited by dennypage

            @michmoor said in Outgoing Portscans - ntopng?:

            Can you update the package to not expose those options and only enable with Advanced configuration? Alternatively, place a warning in the ntop options GUI?

            Yea, unfortunately there's no good way to disable internal ntopng options externally. If there were, I would have done so. The closest I could come was to go into the redis db at random times (like via cron) and reset the enable variable. I don't like this approach because it comes as a surprise to the user -- they turn it on, and some seemingly random amount of time later it gets magically turned off. Comes off like something is broken.

            As to a warning, if you are referring to the ntopng GUI itself, there's no way for me to display anything in there. If you're referring to the pfSense package GUI, I could do that, and maybe I should, but I believe most people would either ignore or simply forget about it after they first install the package.

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @dennypage
              last edited by michmoor

              @dennypage said in Outgoing Portscans - ntopng?:

              If you're referring to the pfSense package GUI,

              that's exactly where I was thinking :)

              You can never stop users from doing stupid things. The best anyone can do is give a warning.
              Folks still open ports on the WAN for ssh to their pfsense..... cant stop bad habits

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              dennypageD 1 Reply Last reply Reply Quote 0
              • dennypageD
                dennypage @michmoor
                last edited by

                @michmoor said in Outgoing Portscans - ntopng?:

                You can never stop users from doing stupid things. The best anyone can do is give a warning.
                Folks still open ports on the WAN for ssh to their pfsense..... cant stop bad habits

                Fair.

                S 1 Reply Last reply Reply Quote 0
                • S
                  StealthNet @dennypage
                  last edited by StealthNet

                  @dennypage @michmoor For me, this is an interesting thread.

                  I did my fair share of network / host / datacenter administration back in the 90s, but now I am just curious about pfsense to the point where I am moving from an apartment to a new house and building a new networking infrastructure based on it and a couple of managed switches and APs to expand a home automation hobby.

                  I didn´t know a thing about ntop or pfsense a month ago and I asked a honest question, trying to learn more about it.

                  Maybe that was my mistake: using something with access to the internet without knowing enough details about it (although I knew it was supposed to be closed by default, not open).

                  Bu hey, I am not protecting CIA.

                  OTOH, I am using CE and installing a package that came with it.

                  I configured ntop explicitly informing which network is local.

                  Tbh I never thought a default package would do some kind of outbound network discovery based on class C scanning of internet hosts.

                  I don´t think this is ok.

                  I think this is considered nowadays offensive behavior and imho no package with default config should scan internet hosts and blame a new user that didn´t know that much.

                  You might say: but you enabled network discovery.

                  Yes, I did.

                  I thought that it wouldn´t start scanning the entire internet because I said to it where my local network was.

                  My mistake.

                  Either way, I don´t think that should be considered a "stupid" thing from someone with bad habits.

                  So please, give a warning.

                  Thanks for the support.

                  dennypageD 1 Reply Last reply Reply Quote 2
                  • dennypageD
                    dennypage @StealthNet
                    last edited by

                    @StealthNet said in Outgoing Portscans - ntopng?:

                    Tbh I never thought a default package would do some kind of outbound network discovery based on class C scanning of internet hosts.

                    I don´t think this is ok.

                    I agree. I was rather shocked when I discovered this while diagnosing the same issue with another pfSense user who happens to be a close friend of min. He had also enabled it because ntopng's description made it sound like a good thing.

                    Anyway, I appreciate your, and others, input on this. I believe I will add a set of warning to the next version of the package, to at least have put forth the information/warning.

                    Thank you.

                    1 Reply Last reply Reply Quote 1
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.