OPNsense Forum

English Forums => General Discussion => Topic started by: Wyrm on July 13, 2021, 08:42:30 pm

Title: Port Scanning block and Port Knocking - is it possible in OPNsense
Post by: Wyrm on July 13, 2021, 08:42:30 pm

Hi,
I have 2 questions, but they could be connected maybe to one solution.

I would like to know if there some utility or settings to have some rule to block simple port scanning???
It is like in Mikrotik, where you could have some detection of portscanning by setting weight to scanned ports.
There are some rules which then put remote attackers on list and blocks them before they get to IDS/IPS.
Some solution for this ?

There is another request from my customer to have option to use portknock.
Is some way to use it in OPNsense firewall ? Mainly it works that there is some defined port opening sequence and when it is used from allowed address it opens some port in firewall.

This could be some option to have as feature in OPNsense maybe ???
Or is it solved by Suricata or SENSEI ?
 

Title: Re: Port Scanning block and Port Knocking - is it possible in OPNsense
Post by: itoffshore on November 08, 2021, 12:52:28 am

fwknop does port knocking with a GPG encrypted / signed packet & is available as a package in FreeBSD. It would need manual configuration. I've used it on Linux & it's quite good.

https://www.cipherdyne.org/fwknop/

psad by the same author detects port scanning but is not in FreeBSD.

Title: Re: Port Scanning block and Port Knocking - is it possible in OPNsense
Post by: benyamin on November 08, 2021, 12:11:42 pm

I have to say, fwknop integration would be very, very cool. Like, very cool.  :D

Re port scanning, pro-active black listing of known bad actors is a good first line of defense. You can use aliases configured with URL Tables, i.e. lists of IP addresses. You can assemble your own list from a variety of sources either by hosting it yourself somewhere handy or by using a collection of externally hosted lists implemented as individual aliases. There are too many sources, flavours and opinions out there to write up a definitive solution here, but what I can say is that in conjunction with the usual suspects, e.g. Spamhaus (E)DROP (https://docs.opnsense.org/manual/how-tos/edrop.html), the AbuseIPDB API (https://docs.abuseipdb.com/) works pretty well, but you do need to take note of the truncation and rate limits.

However, none of that is much good on public VPNs that use bogons. Port scanning detection and blocking on such networks is advantageous.

I believe Suricata IDS/IPS can also deal with port scans when properly configured. You may want to post on the OPNsense IDS/IPS Board (https://forum.opnsense.org/index.php?board=27.0) to get the take on this from those lurking there.

Other FreeBSD ports, but not implemented as OPNsense plugins AFAIK, would include the likes of scanlogd (detection only) and portsentry.