OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Port Scanning block and Port Knocking - is it possible in OPNsense
« previous next »
  • Print
Pages: [1]

Author Topic: Port Scanning block and Port Knocking - is it possible in OPNsense  (Read 5883 times)

Wyrm

  • Jr. Member
  • **
  • Posts: 56
  • Karma: 1
    • View Profile
Port Scanning block and Port Knocking - is it possible in OPNsense
« on: July 13, 2021, 08:42:30 pm »
Hi,
I have 2 questions, but they could be connected maybe to one solution.

I would like to know if there some utility or settings to have some rule to block simple port scanning???
It is like in Mikrotik, where you could have some detection of portscanning by setting weight to scanned ports.
There are some rules which then put remote attackers on list and blocks them before they get to IDS/IPS.
Some solution for this ?

There is another request from my customer to have option to use portknock.
Is some way to use it in OPNsense firewall ? Mainly it works that there is some defined port opening sequence and when it is used from allowed address it opens some port in firewall.

This could be some option to have as feature in OPNsense maybe ???
Or is it solved by Suricata or SENSEI ?
 
Logged

itoffshore

  • Newbie
  • *
  • Posts: 5
  • Karma: 1
    • View Profile
Re: Port Scanning block and Port Knocking - is it possible in OPNsense
« Reply #1 on: November 08, 2021, 12:52:28 am »
fwknop does port knocking with a GPG encrypted / signed packet & is available as a package in FreeBSD. It would need manual configuration. I've used it on Linux & it's quite good.

https://www.cipherdyne.org/fwknop/

psad by the same author detects port scanning but is not in FreeBSD.
Logged

benyamin

  • Full Member
  • ***
  • Posts: 224
  • Karma: 13
    • View Profile
Re: Port Scanning block and Port Knocking - is it possible in OPNsense
« Reply #2 on: November 08, 2021, 12:11:42 pm »
I have to say, fwknop integration would be very, very cool. Like, very cool.  :D

Re port scanning, pro-active black listing of known bad actors is a good first line of defense. You can use aliases configured with URL Tables, i.e. lists of IP addresses. You can assemble your own list from a variety of sources either by hosting it yourself somewhere handy or by using a collection of externally hosted lists implemented as individual aliases. There are too many sources, flavours and opinions out there to write up a definitive solution here, but what I can say is that in conjunction with the usual suspects, e.g. Spamhaus (E)DROP, the AbuseIPDB API works pretty well, but you do need to take note of the truncation and rate limits.

However, none of that is much good on public VPNs that use bogons. Port scanning detection and blocking on such networks is advantageous.

I believe Suricata IDS/IPS can also deal with port scans when properly configured. You may want to post on the OPNsense IDS/IPS Board to get the take on this from those lurking there.

Other FreeBSD ports, but not implemented as OPNsense plugins AFAIK, would include the likes of scanlogd (detection only) and portsentry.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • General Discussion »
  • Port Scanning block and Port Knocking - is it possible in OPNsense
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2