Blocking port scans

[RChadwick]

While I don't run OPNsense, I used to run pfsense many years ago. I switched to Sophos UTM, mainly for security features like port scan blocking. However, it seems Sophos UTM is dead, and annoying bugs are driving me nuts (Like getting an email for EVERY port in a port scan attack. Hundreds of emails from Sophos is like a DOS attack in itself). Can OPNSense detect a Port Scan, and then block the IP address of the scanner? I heard this was possible with Snort an pfsense, but I'd like to stay away from pfsense for stability reasons.
Thanks!

[jclendineng]

pfsense does indeed support port scan blocking, as does opnsense.  The plugin you want for either firewall is called "suricata", and in the rulesets there is a category for scans that will detect port scans and block.

[RChadwick]

Thanks!
One quick question about OPNsense. The reason I left pfsense is that, while pfsense was rock solid, a few needed plugins were not, and would crash the entire router. I heard OPNsense doesn't have third party plugins. Is that true? If so, is that why?

[jclendineng]

What plugins? I had a few on pfsense and it was solid. Only reason I switched to opnsense was a more aggressive dev timeline.  Last pfsense release had terrible performance issues and would randomly hang due to a bug that was put in a future patch.  Opnsense has plugins, yes. Its the same base as pfsense (bsd) and as such can use ports.

[Ypsilon]

This is my first post on this forum, so hi all, and glad to be using OPNsense.
I was on the same boat as you @RChadwick, also running UTM, but meanwhile switched to OPNsense.
So if I remain satisfied as i am now, I will consider a donation.

Portscan was a separate feature in UTM indeed, but also had some issues:
- limiting number of alert message didn't work well, spamming my mailbox
- The rules for portscans and threats were not clear in the gui, and from cli they were hard to find.

In OPNsense you have much more control over intrusion detection.
So I have enabled the scan rules, and portscans are being blocked 

[cyberbob]

Has anyone solved the issue around people bypassing port scans such as doing something like this:
https://www.northit.co.uk/posts/bypassing-port-scan-blocking-firewalls/

[Greg_E]

One of the rules in the ET free/Pro is to block all known TOR connections, it's in a long list of options and I don't remember where it resides.

[meyergru]

There are several hints on how to exclude TOR exit nodes here, Firehol3 is one that includes this.

Excluding TOR alone would be a very narrow focus, IMHO. Think of any automated port scans from known IPs, which are covered by several blacklists like Firehol or Geoblocking countries that you do not expect legitimate traffic anyhow...

[Greg_E]

I'm guessing Crowdsec also does a pretty good job at this.

[cyberbob]

Thanks all I'll give that a try.

[thereaper]

... The plugin you want for either firewall is called "suricata", and in the rulesets there is a category for scans that will detect port scans and block.

What are the simplest steps to enable port scan blocking using only native OPNSense IDS?
I did these steps, but not sure it is working:

1. Go Services / Intrusion Detection / Administration. Settings tab. I have checked:
  - Enabled
  - IPS mode
  - Interfaces: WAN
  - Enable syslog alerts
  - Promiscuous mode (not needed probably)
2. Go to Download tab
  - Check all Rulesets
  - Press "Enable Selected" button, press "Download and Update Rules" button
3. Go to Rules tab
  - press Filters dropdown, type "scan", press Enter. There will be ~26 rules.
  - select all, press "Drop" button below, press Apply button.

Still I don't see anything in Alets tab, only weird GUI flash-refresh kind of glitch. But on Lobby / Dashboard / Firewall piechart, pressing "Default Deny" pie opens live log, where I can still see port scanning happening.

What did I miss? Maybe add these steps to HowTo OPNSense documentation page?
Or, if I did it correctly, where can I see a list of blacklisted IPs?

[thereaper]

GRC Shields Up! service  still happily scans all my ports, no blocking happening ...

Enabling Services / Intrusion Detection / Administration / Settings / "Promiscuous mode" did not help too.

And I tried enabling rulesets one by one, not all at once. But could not find which RuleSet contains rules of ClassType = network-scan. I cannot tell which RuleSet the Rule belongs to. In the Rule Info tab we only see "Source = emerging-scan.rules" but what is "emerging-scan.rules"? It is not a RuleSet ...

Please help

[Greg_E]

I would probably disable promiscuous mode, I don't think you need it.

When you downloaded all the rules, did you set them to blocking or just alert? Default is alert and you need to either use a policy to change that, or do this on each rule itself. I haven't had a lot of luck with policies, I'm sure I'm doing something wrong. But when I see alerts in the log, I click on the ones that I know need to be blocked, and change them to block.

Then you need to go back to the rules download tab and apply the changes before it will start blocking.

This is what I've had to do and it seems to be working.

[thereaper]

I would probably disable promiscuous mode, I don't think you need it.

Thanks, disabled now.

When you downloaded all the rules, did you set them to blocking or just alert?

I went to Rules tab, searched for ClassType = network-scan, and sett all that was found (26) to Block, done within Rules tab.
But it does not seem to work.

Do I really need making Policies for standard rules? I think you are right:

"In previous versions (prior to 21.1) you could select a “filter” here to alter the default behavior of installed rules from alert to block. As of 21.1 this functionality will be covered by Policies"
https://docs.opnsense.org/manual/ips.html#download-rulesets

Going to try making Policies

[Greg_E]

I've had no luck with policies.

Did you go back to the rules download tab and apply the changes after setting everything to blocking? I haven't had one fail yet after doing this to the main rules (not policies).