pfsense firewall block port scans

Is there a way of blocking port scans on pfsense 2.2? I can do this without any problems on my juniper firewalls so figured this is kind of a given on pfsense, especially the latest versions.
projectsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
The best way to do this is to install the Snort package and enable that to block port scans, it has the feature built-in.

Naturally you need to make sure that your hardware is up to the extra load this brings and also it is a good idea to invest in a Sourcefire subscription for getting the up to date Snort rules.
0
gheistCommented:
I dont think there is a way to detect slow scan of  ports via TOR or done by some botnet.
Best is to not keep open ports for no purpose.
0
Zephyr ICTCloud ArchitectCommented:
I dont think there is a way to detect slow scan of  ports via TOR or done by some botnet.
Best is to not keep open ports for no purpose.

I agree geist, but if we have to be constructive is Snort the better solution regarding pfsense, even if it helps on stopping some script kiddies. I think even port knocking is not helping for slow/deliberate scanning ...
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

nociSoftware EngineerCommented:
What might help here is fail2ban. The you can user arbitrary logfiles and use those to identify an IP address that should be blocked, for a certain amount of time.
I use this to do:
if a site produced 3 login failures on ssh, pop3s, imaps then it will be blocked with drop warning for a day
if a site produces multiple entries on the drop list it will be totally blocked for 1 month.
oc. yoou can make your own rules. And you can catch port scans by blocking with drop message any port that is not legitimate.
 http://www.fail2ban.org/
0
projectsAuthor Commented:
I want the simplest way of preventing (if possible) port scans without getting into a lot of additional maintenance.

Someone mentioned not exposing any ports but those which are, are needed otherwise, they would not be showing up.

My Juniper firewalls running ScreenOS have these things by default without any maintenance. Nothing shows, nothing at all. The only way to know if a port exists is to connect to it if you know about it.
0
Zephyr ICTCloud ArchitectCommented:
Regarding pfsense there will not be a simple way, there's no setting that will help you here, this is because it's an open source, modular, firewall ... It's made this way so you can configure it to your liking, as where industry firewalls, like Juniper, sell devices with all bells and whistles included (depending on the model of course).

So, the best solution is still installing the Snort package, it's not that difficult and really not a lot of work.

Besides that, also Juniper is "vulnerable" for certain port scan, unless you set the treshold really high, but that can cause possible issues with applications.
1
projectsAuthor Commented:
All I have are some standard ports. I don't think I need to invest in a subscription.

22/tcp   open   ssh
443/tcp  open   https
902/tcp  open   iss-realsecure-sensor
903/tcp  closed iss-console-mgr
8443/tcp open   https-alt

I've installed it, configured it, enabled portscan monitoring, blocked at the interface and the interface is tarted.

However, ports still show up by scanning from remote. Missing something.
0
Zephyr ICTCloud ArchitectCommented:
Did you enable the block offenders option under (I think) General Settings -> Alert Settings? (just confirming my understanding)

What kind of port scan are you doing? A general one or a targeted one? Are you seeing warnings in the logging?

[edit] Did you also check if the rule was selected for port scans on the Snort Interface? You can click on "edit" on the right side, go to categories and select the proper rule, called snort_scan.rules ...
0
projectsAuthor Commented:
Yes, that is under WAN Settings for the interface, called Block Offenders.
Yes, the rule is also checked.
Yes, I do see the port scans from the logging.


Not sure what you mean by what kind of port scans but from another network, I'm doing the following;

# nmap 198.15.79.74

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-07-04 08:19 MST
Interesting ports on xx.xx.xx.xx:
Not shown: 1675 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
443/tcp  open   https
902/tcp  open   iss-realsecure-sensor
903/tcp  closed iss-console-mgr
8443/tcp open   https-alt

Nmap finished: 1 IP address (1 host up) scanned in 21.480 seconds
0
Zephyr ICTCloud ArchitectCommented:
Yes, that's the problem with port-scans sometimes ... Though it's weird it's not being blocked, maybe playing with the sensitivity might help, but might cause issues with other applications.

I will check my setup to see if I'm overlooking something.
0
projectsAuthor Commented:
Any thoughts?
0
Zephyr ICTCloud ArchitectCommented:
Hi, well I'm not sure, I haven't had to chance to do an external port scan yet, I did go over all my settings and I also know that a previous port scan was blocked, as well as other port scans that occasionally happen...

There's quite some settings to go over, all I can say at the moment is to make sure you haven't overlooked any... I will try a port scan this evening probably.
0
projectsAuthor Commented:
I'll wait for your reply before asking for help to boost the question since you're the only one to reply so I'd like to give you the solution.
0
Zephyr ICTCloud ArchitectCommented:
Well ... I tried a few port scans today, and the first two got blocked but the later one was a slow one (t0) and that one did give a result (after a long wait) ...

I'm not sure where the difference is, except for the fact I'm a paying customer (personal plan) for the signatures ...
0
nociSoftware EngineerCommented:
if i do a portscan for a few ports with 1 hour in between and from different sources, they would be hard to pickup.

As i mentioned before, you can use fail2ban to scan any log file, and if a ip address is mentioned on a logline that states a violation of your terms of service you can tel fail2ban to convert it to a block on an IP port.
So even login failures to SSH or FTP can be picked up.., n times bad password / Strike out.
mysql login failures... same way.etc.
You can also let iptables create log records (log target) with a prefix for fail2ban so it can tell first time offenders or multiple offenders ... and extend blocks....
1
Zephyr ICTCloud ArchitectCommented:
if i do a portscan for a few ports with 1 hour in between and from different sources, they would be hard to pickup.

Yes, that's what I'm saying, really stopping all port-scans will be a hard feat ... Fail2Ban is a nice program, I think we need to look at this as creating as much layers as possible.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.