OPNsense Forum

English Forums => Intrusion Detection and Prevention => Topic started by: RChadwick on June 15, 2020, 07:31:44 pm

Title: Blocking port scans
Post by: RChadwick on June 15, 2020, 07:31:44 pm

While I don't run OPNsense, I used to run pfsense many years ago. I switched to Sophos UTM, mainly for security features like port scan blocking. However, it seems Sophos UTM is dead, and annoying bugs are driving me nuts (Like getting an email for EVERY port in a port scan attack. Hundreds of emails from Sophos is like a DOS attack in itself). Can OPNSense detect a Port Scan, and then block the IP address of the scanner? I heard this was possible with Snort an pfsense, but I'd like to stay away from pfsense for stability reasons.
Thanks!

Title: Re: Blocking port scans
Post by: jclendineng on June 16, 2020, 12:43:39 pm

pfsense does indeed support port scan blocking, as does opnsense.  The plugin you want for either firewall is called "suricata", and in the rulesets there is a category for scans :) that will detect port scans and block.

Title: Re: Blocking port scans
Post by: RChadwick on June 16, 2020, 04:06:21 pm

Thanks!
One quick question about OPNsense. The reason I left pfsense is that, while pfsense was rock solid, a few needed plugins were not, and would crash the entire router. I heard OPNsense doesn't have third party plugins. Is that true? If so, is that why?

Title: Re: Blocking port scans
Post by: jclendineng on June 23, 2020, 09:32:51 pm

What plugins? I had a few on pfsense and it was solid. Only reason I switched to opnsense was a more aggressive dev timeline.  Last pfsense release had terrible performance issues and would randomly hang due to a bug that was put in a future patch.  Opnsense has plugins, yes. Its the same base as pfsense (bsd) and as such can use ports.

Title: Re: Blocking port scans
Post by: Ypsilon on July 13, 2020, 03:36:14 pm

This is my first post on this forum, so hi all, and glad to be using OPNsense.
I was on the same boat as you @RChadwick, also running UTM, but meanwhile switched to OPNsense.
So if I remain satisfied as i am now, I will consider a donation.

Portscan was a separate feature in UTM indeed, but also had some issues:
- limiting number of alert message didn't work well, spamming my mailbox
- The rules for portscans and threats were not clear in the gui, and from cli they were hard to find.

In OPNsense you have much more control over intrusion detection.
So I have enabled the scan rules, and portscans are being blocked  :)