Port Scan Attack Detector ??!
-
hi all
how to set Port Scan Attack Detector with pfsense that block ip of scanner?
in pf.conf :
################ Macros ###################################States & Queues
TcpState="flags S/SA modulate state"
Ports
AntiScanPort="{23:79, 6000:8000}"
Stateful Tracking Options
AntiScanSTO ="(max 60, source-track rule, max-src-conn 1, max-src-nodes 60, max-src-conn-rate 1/60, overload <blacklist>flush global)"
################ Tables ####################################
table <blacklist>persist################ Filtering #################################
Block blacklisted
block in quick on $ExtIf from <blacklist>to any
ExtIf Inbound
pass in log on $ExtIf inet proto tcp from any to any port $AntiScanPort $TcpState $AntiScanSTO
how to use this in pfsense?</blacklist></blacklist></blacklist>
-
The file you are looking for is generated by the system. It's in /tmp if you want to look at it, but be aware that any changes you make will get errased when a filter change is made.
If you're looking for a way to detect port scans there is a package called strikeback that does just that. It detects port scans and allows you to strikeback with a port scan.
-
ok tanks ;D