How to stop port scanning hackers

Sounds like your firewall needs to be more secure.

Do you run a firewall on your server or on the router?

If router what type you have?

router linksys rvo42

we use port forwarding and only allow certain ports

what port?

In the RV042

Check to make sure you have the firewall enabled also check all settings are correct for your network

port forwarding just allows you to route traffic  that does not block access

25, 80, 443, 1723, 3389, 987

25, 80, 443, 1723, 3389, 987

Are these the ports you are forwarding or the ports that the attacks are coming from?

forwarding

is the firewall running on the RV042?

What ports are you seeing the attacks on?

under firewall settings  firewall is enabled, so is SPI, Denial of service, Wan reqests, and Multicast Passthrough, and HTTPS. remote management is disabled

port 2700

2689 too
it changes

they are scanning for open ports

You need to setup an access rule in your rv042 to block port 2700

but the port allways changes

if DMZ is off on the router doesnt that mean that the ports that are forwarded and the only ports that pass through

DMZ is active for a specified IP address / host.  All ports are forwarded on that IP address, but other hosts are only accessible via the specified forwarded ports.

isn't DMZ for all inbound traffic.

For the specified hosts yea..  Enabling it wont open all ports on your whole network.

was you getting event id 529 in the security log?

You need to Restrict (on firewall) the allowed source ip to your one

Specified host example

yes 529

What are your access rules in the rv042? Please post screen shot

Lan allow all traffic
wan1 deny all traffic
wan2 deny all traffic

That looks good

back to head scratching mode

What is the offending IP address?

48.182.109.26
114.70.63.85
67.55.113.168
207.237.187.100

these are only a few the IP keeps changing as well

Try setting up this on the rv042

Define a DENY rule:
Source: Internal LAN
Destination: Internet
Protocol: DNS (UDP, TCP Prot:53)

This will stop outside attempts against DNS

Send an email to the organizations..  Also keep an eye on your firewall / logs because these are all random organizations most likely a hacker has a backdoor on their servers or switches and may be targeting you from these remote addresses (based on the number of attempts).  

By alerting the real owners hopefully they will take care of this on their end.  I understand these are only a few of the IP's but its a start.  Again, keep a close eye on your log..


net48admin@prudential.com
search-apnic-not-arin@apnic.net - Not sure this one will work
abuse@webair.com
For all abuse issues, please contact abuse@rcn.com

I've requested that this question be deleted for the following reason:

n

You had a lot of helpful information and you are deleting the question without follow up and your reason is "n".
Hardly seems far to those that invested their time.