?
Solved

Prevent Port Scanning

Posted on 2003-03-31
6
Medium Priority
?
650 Views
Last Modified: 2010-04-11
I've recently installed a new Sonicwall Pro-VX and successfully implemented it into my network. My company's T1 line comes into a Cisco 2500 router and then directly into the WAN port on the Sonicwall.

My log file on the Sonicwall is showing some pretty dedicated and regular port scanning, by Source IP:

66.111.48.154

Destination is:

255.255.255.255, LAN

I've ran some basic checks on that IP and found it to be on "blackmajick.net", which has been black listed by a few antispam sites and shows up on various security warning sites.

There's a flurry of activity (and 5 or 6 entries in the Sonicwall log) about every 8 minutes.

From what I understand, physically having the Sonicwall in place does protect me from the port scanning itself, but all those attempts fill up my log files and (to be honest), makes me feel a bit victimized... especially because I head to www.blackmagick.net and see a bunch of stuff related to IRC scripts and photos of pimply teenagers.

Is it possible for me to setup either my router or my Sonicwall to completely block or ignore any and all traffic coming from that IP? I'm not a complete expert on the Cisco IOS but I can follow instructions well.. and there doesn't appear to be much in the router's config file - no access lists, etc. Is there another thing I should consider trying?

In the SonicWall logs, I also regularly see "ICMP packet dropped [router public IP addy], 5, WAN   [SW public IP addy], 5, WAN 'Route Redirect'" I don't think that's related to my port scanning issue, but the two log entries do seem to show up at the same regularilty, and Sonicwall's tech support site says something generic like "because of a misconfigured router".
0
Comment
Question by:decker12
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8242331
I always use an access-list in the screening access router to block out these unwanted pranksters. As soon as you identify the culprit, simply add that subnet to the list of denied networks in your screening router, and your firewall will never see them.
I also block most ICMP traffic inound, save for echo-reply, unreachables, packet-too-big, and ttl-exceeded

In your case, if you don't have an acl on the router now,
start with this:

interface serial 0
 ip access-group 101 in
!
! deny your rogue host:
access-list 101 deny ip 66.111.48.0 0.0.0.255 any
!
! permit any established session (established by an internal host)
access-list 101 permit ip any any established
!
! permit all dns responses:
access-list 101 permit udp any eq 53 any
!
! limit ICMP traffic
access-list 101 permit icmp any any eq echo-reply
access-list 101 permit icmp any any eq unreachable
access-list 101 permit icmp any any eq ttl-expired
!
! prevent sql worm
access-list 101 deny tcp any any eq 1433
!
! account for anything else internal:
access-list 101 permit ip any host <ip add of firewall>
!
! deny and log everything else so you can watch your logs. Any host/network filling up the log can simply be added to the denies at the top:
!
access-list 101 deny ip any any log

The last line with the "log" keyword lets you see if you are accidently denying anything you need.



Since I don't know the particulars of anything that you have inside like web servers, email, etc, you'll have to tailor this to your network.
0
 
LVL 24

Expert Comment

by:SunBow
ID: 8247269
Hmm, subnet is broadcast ip, firewalls are more adept at blocking, but routers? Seems that routers need tables to route to proper destination, interesting - could you destine the stuff to 66.111.48.154? Router would maybe need some smartness.

If you find you need more than the above, consider the firewall TA.
0
 
LVL 1

Author Comment

by:decker12
ID: 8247615
I guess I don't know as much about the router configuration procedure as I thought. I typed in lrmoore's access list items but don't seem to have a way to display what I've inserted into the ACL.

After I exit from conf, I do a show access-list 101 from router# and nothing appears. Also, some of the other commands were not recognized completely.

access-list 101 pewrmit icmp any any eq ttl-expired

Will error on the "eq" part and I have to use "ttl-exceeded" instead of expired.

Would updating my IOS to the latest version help? I don't think an update has *ever* been run on this router. I think the one time I tried I couldn't get deeper into the Cisco download area because I didn't have a service contract or some junk (which makes no sense to me, especially if I plan on updating the IOS manually.. why do I need a service contract if all they're providing me is the file?).

Any ideas?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 8248555
If you're not getting any hits on the acl, seen from "show ip access-list", then it is not applied to the interface, or is on the wrong interface. It should be applied to your serial interface, inbound.

In order to edit the acl, it is a 3 step process:
1. Remove the acl from the interface
Interface serial 0/0
 no ip access-group 101 in

2. delete, then re-create the acl entirely:
no access-list 101
access-list 101 permit ....
<etc>

3. Re-apply it to the interface
Interface serial 0/0
 ip access-group 101 in


What version IOS are you running? Perhaps you have other acls or other configuration anomolies that are preventing this from working. I'd have to see the complete config..

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 200 total points
ID: 8248561
If you're not getting any hits on the acl, seen from "show ip access-list", then it is not applied to the interface, or is on the wrong interface. It should be applied to your serial interface, inbound.

In order to edit the acl, it is a 3 step process:
1. Remove the acl from the interface
Interface serial 0/0
 no ip access-group 101 in

2. delete, then re-create the acl entirely:
no access-list 101
access-list 101 permit ....
<etc>

3. Re-apply it to the interface
Interface serial 0/0
 ip access-group 101 in


What version IOS are you running? Perhaps you have other acls or other configuration anomolies that are preventing this from working. I'd have to see the complete config..

0
 
LVL 1

Author Comment

by:decker12
ID: 8249869
Thanks for your help. I've realized I can't upgrade my IOS without buying some bullsh*t "service contract" with Cisco. They won't even let me download it, even though I can dig deep into the site and upgrade the IOS on my Catalyst 2900XL.

So I'm kind of stuck with what I have on the router end. I did lock down some more ports and whatnot on the Sonicwall side and I'll monitor that as well as I can.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question