Port Scan Attack Detector ??!



  • hi all
    how to set Port Scan Attack Detector with pfsense that block ip of scanner?
    in pf.conf :
    ################ Macros ###################################

    States & Queues

    TcpState="flags S/SA modulate state"

    Ports

    AntiScanPort="{23:79, 6000:8000}"

    Stateful Tracking Options

    AntiScanSTO ="(max 60,  source-track rule, max-src-conn 1, max-src-nodes 60,  max-src-conn-rate 1/60, overload <blacklist>flush global)"

    ################ Tables ####################################
    table <blacklist>persist

    ################ Filtering #################################

    Block blacklisted

    block in quick on $ExtIf from <blacklist>to any

    ExtIf Inbound

    pass in log on $ExtIf inet proto tcp from any to any port $AntiScanPort $TcpState $AntiScanSTO

    how to use this in pfsense?</blacklist></blacklist></blacklist>



  • The file you are looking for is generated by the system. It's in /tmp if you want to look at it, but be aware that any changes you make will get errased when a filter change is made.

    If you're looking for a way to detect port scans there is a package called strikeback that does just that. It detects port scans and allows you to strikeback with a port scan.



  • ok tanks  ;D


Locked