Link to home
Start Free TrialLog in
Avatar of Vision
VisionFlag for United States of America

asked on

Blocking Port Scanners & Hunter / Seekers

Here's what I'm looking for.
I set up a linux box and its functioning as a router.
Now, I'd like to set it up as a Server but the services I'm under don't allow that, so I have to set up the server on 'odd' ports.  But I don't want some port scanner to 'sniff' me out.  So what I'm hoping to find is a program that will sit on ports '21,23,25,80,etc...' and if these ports seem to be hit by the same IP (like from a sniffer) it starts to block ALL communication from that IP.

Does that make sense?

I'm running Slackware 7
2.2.13
486Dx2/66
20 Meg ram

Avatar of jlevie
jlevie

If the service that you are using is so militant about their customers not running servers that you are afraid that they'll run a port scanner on you, then I doubt that what you are proposing will work. The ISP could just as easily determine if you are running any servers by sampling the traffic. If they see, for example, telnet traffic with a destination address that's your IP then they'd know you were running a server.

For your system to be usable, whatever ports you are using, telnet, ftp, etc, would have to be normally open. Anything that looks for port scanning has to determine that it's occuring by detecting multiple connection attempts from the same or a small set of IP's. This means that the scanner would get positive results on one or more ports before any intrusion detection package would recognize that a port scan was occuring. So even if you then blocked that IP(s) your ISP would know that you had servers running.

Maybe you need to consider finding an ISP that has a more relaxed attitude about their customers running servers.
Avatar of Vision

ASKER

I'd love to switch, unfortunatly this is the only high speed connection available in my area.  I may dodge the bullet because I only want the high speed access for my own personal use (non-published).  
I was planning on using non-standard Ports so that if someone were trying to 'sniff' out a server they would most likely hit 2 or 3 'normal' ports before tring a port sniffer.  In a case like this, anyone who hits those standard ports (21 FTP, 23 telnet, 80 www, more?) would be baned.  Maybe I'll just have to write my own program.  
On a side note, I'd settle for a program that looks for normal port sniffers.  (The ones that go from 1-xxxx).   No need to draw attention to my 'hidden' server :-)
-Vision
I use program name portsentry.. its pretty easy to use. U can download it:

http://www.psionic.com/abacus/portsentry/

(There is more information)

u can but those ports blocked when someone scan u there is option for that.

And u can but hosts ignore list. Which mean that those hosts doesnt have blocked..

Then u have perfect "firewall" :)

-Makangas
ASKER CERTIFIED SOLUTION
Avatar of jlevie
jlevie

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Vision

ASKER

Comment accepted as answer
Avatar of Vision

ASKER

Thanks for the info.  I guess I have a list of stuff I'll have to sort through to get the info I need.  I probably don't have the time to do it for a bit.  Too many other problems that are more imediate.