Date: Mon, 22 Sep 2008 13:06:11 -0700 From: "David Allen" <the.real.david.allen@gmail.com> To: freebsd-questions@freebsd.org Subject: Re: Dealing with portscans Message-ID: <2daa8b4e0809221306y3e8ebd4eg321377269ee2e1@mail.gmail.com> In-Reply-To: <48D7D434.6080702@FreeBSD.org> References: <2daa8b4e0809220817v10c4a657l6ee76f853a62b246@mail.gmail.com> <48D7D434.6080702@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/22/08, Greg Larkin <glarkin@freebsd.org> wrote: > David Allen wrote: >> Over the last few weeks I've been getting numerous ports scans, each from >> unique hosts. The situation is more of an annoyance than anything else, >> but I would prefer not seeing or having to deal with an extra 20-30K >> entries in my logs as was the case recently. >> >> I use pf for firewalling, and while it does offer different methods >> (max-src-conn, max-src-conn-rate, etc.) for dealing with abusive hosts, it >> doesn't seem to offer much in the way of dealing with repeated blocked >> (non-stateful) connection attempts from a given host. >> >> Short of running something like snort, is there a suitable tool for >> dealing with this? If not, I'll probably resort to running a cronjob to >> parse the logfile and add the offending hosts manually. > > Hi David, > > You might want to try security/portsentry from the ports tree. It's a > bit dated, and it has no maintainer at the moment, but a cursory glance > at it tells me it might work for you. It supports pf for blocking > connections once your trigger conditions are met. I'll give it a try. FWIW, I did discover that parsing the log files to get a list of offending hosts (denied a number of times above a given certain threshold) wasn't really as slow or troublesome as I thought. That slightly hackish approach might be useful for port scans in addition to the various rubbish I get sent. Thanks to both you and Jeff Laine for the replies.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2daa8b4e0809221306y3e8ebd4eg321377269ee2e1>