Do these entries indicate port scans?



  • Hi I wonder if someone can help me to decipher if these entries are indicative of someone port scanning my pfsense to try to gain access to the SSH login?  If so, is there some kind of package to automatically block their IP's.
    I get entries like these all the time in my system log.
    I am currently on 1.2.3, only packages installed are HAVP and snort.  But only HAVP is running.  snort isn't running.
    Thanks.

    Mar 15 23:58:15 pfsense sshd[34347]: error: connect_to 216.211.139.151 port 80: failed.
    Mar 15 23:58:15 pfsense sshd[34347]: error: connect_to 216.211.139.151 port 80: failed.
    Mar 16 00:51:33 pfsense sshd[34051]: error: connect_to 207.241.226.202 port 80: failed.
    Mar 16 00:51:33 pfsense sshd[34051]: error: connect_to 207.241.226.202 port 80: failed.

    Mar 16 19:59:19 pfsense sshd[33830]: error: connect_to 207.241.226.202 port 80: failed.
    Mar 16 19:59:19 pfsense sshd[33830]: error: connect_to 207.241.226.202 port 80: failed.
    Mar 16 19:59:19 pfsense sshd[33830]: error: connect_to 207.241.226.202 port 80: failed.

    Mar 15 23:38:40 pfsense sshd[47527]: error: connect_to jfx.sfbay.sun.com port 5001: failed.
    Mar 15 23:38:40 pfsense sshd[47527]: error: connect_to jfx.sfbay.sun.com port 5001: failed.
    Mar 15 23:39:26 pfsense sshd[47527]: error: connect_to jfx.sfbay.sun.com port 5001: failed.



  • The denyhosts package will help block ssh script kitties. Yes this is a port scan being run against you by many script kitties.

    I would suggest changing the SSH port to something other than 22 (like 222). This will prevent these types of attacks.


Log in to reply