Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Port Scanning block and Port Knocking - is it possible in OPNsense
« previous
next »
Print
Pages: [
1
]
Author
Topic: Port Scanning block and Port Knocking - is it possible in OPNsense (Read 5899 times)
Wyrm
Jr. Member
Posts: 56
Karma: 1
Port Scanning block and Port Knocking - is it possible in OPNsense
«
on:
July 13, 2021, 08:42:30 pm »
Hi,
I have 2 questions, but they could be connected maybe to one solution.
I would like to know if there some utility or settings to have some rule to block simple port scanning???
It is like in Mikrotik, where you could have some detection of portscanning by setting weight to scanned ports.
There are some rules which then put remote attackers on list and blocks them before they get to IDS/IPS.
Some solution for this ?
There is another request from my customer to have option to use portknock.
Is some way to use it in OPNsense firewall ? Mainly it works that there is some defined port opening sequence and when it is used from allowed address it opens some port in firewall.
This could be some option to have as feature in OPNsense maybe
Or is it solved by Suricata or SENSEI ?
Logged
itoffshore
Newbie
Posts: 5
Karma: 1
Re: Port Scanning block and Port Knocking - is it possible in OPNsense
«
Reply #1 on:
November 08, 2021, 12:52:28 am »
fwknop
does port knocking with a GPG encrypted / signed packet & is available as a package in FreeBSD. It would need manual configuration. I've used it on Linux & it's quite good.
https://www.cipherdyne.org/fwknop/
psad
by the same author detects port scanning but is not in FreeBSD.
Logged
benyamin
Full Member
Posts: 224
Karma: 13
Re: Port Scanning block and Port Knocking - is it possible in OPNsense
«
Reply #2 on:
November 08, 2021, 12:11:42 pm »
I have to say,
fwknop
integration would be very, very cool. Like, very cool.
Re port scanning, pro-active black listing of known bad actors is a good first line of defense. You can use aliases configured with URL Tables, i.e. lists of IP addresses. You can assemble your own list from a variety of sources either by hosting it yourself somewhere handy or by using a collection of externally hosted lists implemented as individual aliases. There are too many sources, flavours and opinions out there to write up a definitive solution here, but what I can say is that in conjunction with the usual suspects, e.g.
Spamhaus (E)DROP
, the
AbuseIPDB API
works pretty well, but you do need to take note of the truncation and rate limits.
However, none of that is much good on public VPNs that use bogons. Port scanning detection and blocking on such networks is advantageous.
I believe Suricata IDS/IPS can also deal with port scans when properly configured. You may want to post on the
OPNsense IDS/IPS Board
to get the take on this from those lurking there.
Other FreeBSD ports, but not implemented as OPNsense plugins AFAIK, would include the likes of
scanlogd
(detection only) and
portsentry
.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Port Scanning block and Port Knocking - is it possible in OPNsense