How to block scan port 22?

vinacaptcha · May 20, 2014, 8:44 AM

Hello all,

How to block scan port 22 on LAN?
So, still allow PC on LAN connect to SSH on port 22, but when detect PC is scanning port 22 then block. How to config on pfsense router?
Thanks for advance help :)

vinacaptcha · May 21, 2014, 8:18 AM

Anybody help me ! thanks

podilarius · May 21, 2014, 11:28 AM

Not sure how you would block an internal port 22 scan. The traffic should never reach a firewall. So unless you have a layer 3 switch that can filter that out, there is no firewall that can do this. Now, if the traffic is scanning the internet, a pass rule above the main allow rule with advanced options might do the trick that only scans for port 22. So you can set if there are more than 5 new sessions per second, block.

kpa · May 21, 2014, 12:04 PM

Block access to port 22 on the LAN rules except for selected hosts that you configure with static and known IP addresses. Also disable password authentication on SSH and enforce the use of SSH public keys for login.

vinacaptcha · May 21, 2014, 5:23 PM

@podilarius : Yes, you understood me. So, I need the advanced guide as you said " if there are more than 5 new sessions per second, block" <= Can you help me make a rules for this one?

@kpa: Thanks you, but I don't block that PC if it don't scan port 22, only block PC scanning port 22.

Thanks

BBcan177 · May 21, 2014, 8:47 PM

Hi vinacaptcha,

You can accomplish that with the Snort or Suricata Package.

vinacaptcha · May 22, 2014, 4:21 AM

@BBcan17 : Yes, Thanks.
I will review Snort now. So, difficult or advanced.

BBcan177 · May 22, 2014, 4:49 AM

@vinacaptcha:

@BBcan17 : Yes, Thanks.
I will review Snort now. So, difficult or advanced.

We're all a pfSense family.. take a look at the following link to setup Snort or Suricata (I would recommend Snort as its a little easier to setup)

https://forum.pfsense.org/index.php?topic=61018.0

When you need help post a question in the "packages" forum.