The best way to do this is to install the Snort package and enable that to block port scans, it has the feature built-in.

Naturally you need to make sure that your hardware is up to the extra load this brings and also it is a good idea to invest in a Sourcefire subscription for getting the up to date Snort rules.

I dont think there is a way to detect slow scan of  ports via TOR or done by some botnet.
Best is to not keep open ports for no purpose.

I dont think there is a way to detect slow scan of  ports via TOR or done by some botnet.
Best is to not keep open ports for no purpose.

I agree geist, but if we have to be constructive is Snort the better solution regarding pfsense, even if it helps on stopping some script kiddies. I think even port knocking is not helping for slow/deliberate scanning ...

I want the simplest way of preventing (if possible) port scans without getting into a lot of additional maintenance.

Someone mentioned not exposing any ports but those which are, are needed otherwise, they would not be showing up.

My Juniper firewalls running ScreenOS have these things by default without any maintenance. Nothing shows, nothing at all. The only way to know if a port exists is to connect to it if you know about it.

Regarding pfsense there will not be a simple way, there's no setting that will help you here, this is because it's an open source, modular, firewall ... It's made this way so you can configure it to your liking, as where industry firewalls, like Juniper, sell devices with all bells and whistles included (depending on the model of course).

So, the best solution is still installing the Snort package, it's not that difficult and really not a lot of work.

Besides that, also Juniper is "vulnerable" for certain port scan, unless you set the treshold really high, but that can cause possible issues with applications.

All I have are some standard ports. I don't think I need to invest in a subscription.

22/tcp   open   ssh
443/tcp  open   https
902/tcp  open   iss-realsecure-sensor
903/tcp  closed iss-console-mgr
8443/tcp open   https-alt

I've installed it, configured it, enabled portscan monitoring, blocked at the interface and the interface is tarted.

However, ports still show up by scanning from remote. Missing something.

Did you enable the block offenders option under (I think) General Settings -> Alert Settings? (just confirming my understanding)

What kind of port scan are you doing? A general one or a targeted one? Are you seeing warnings in the logging?

[edit] Did you also check if the rule was selected for port scans on the Snort Interface? You can click on "edit" on the right side, go to categories and select the proper rule, called snort_scan.rules ...

Yes, that is under WAN Settings for the interface, called Block Offenders.
Yes, the rule is also checked.
Yes, I do see the port scans from the logging.


Not sure what you mean by what kind of port scans but from another network, I'm doing the following;

# nmap 198.15.79.74

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2015-07-04 08:19 MST
Interesting ports on xx.xx.xx.xx:
Not shown: 1675 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
443/tcp  open   https
902/tcp  open   iss-realsecure-sensor
903/tcp  closed iss-console-mgr
8443/tcp open   https-alt

Nmap finished: 1 IP address (1 host up) scanned in 21.480 seconds

Yes, that's the problem with port-scans sometimes ... Though it's weird it's not being blocked, maybe playing with the sensitivity might help, but might cause issues with other applications.

I will check my setup to see if I'm overlooking something.

Any thoughts?

Hi, well I'm not sure, I haven't had to chance to do an external port scan yet, I did go over all my settings and I also know that a previous port scan was blocked, as well as other port scans that occasionally happen...

There's quite some settings to go over, all I can say at the moment is to make sure you haven't overlooked any... I will try a port scan this evening probably.

I'll wait for your reply before asking for help to boost the question since you're the only one to reply so I'd like to give you the solution.

Well ... I tried a few port scans today, and the first two got blocked but the later one was a slow one (t0) and that one did give a result (after a long wait) ...

I'm not sure where the difference is, except for the fact I'm a paying customer (personal plan) for the signatures ...

if i do a portscan for a few ports with 1 hour in between and from different sources, they would be hard to pickup.

As i mentioned before, you can use fail2ban to scan any log file, and if a ip address is mentioned on a logline that states a violation of your terms of service you can tel fail2ban to convert it to a block on an IP port.
So even login failures to SSH or FTP can be picked up.., n times bad password / Strike out.
mysql login failures... same way.etc.
You can also let iptables create log records (log target) with a prefix for fail2ban so it can tell first time offenders or multiple offenders ... and extend blocks....