Doubt about IP Scans coming from WAN

Started by xmftech, Today at 03:06:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 03:06:51 PM
Good afternoon,

I am writing this thread in reference to the logs of my virtualized OPNsense on Proxmox, in which I am seeing in LiveView of the Firewall logs that I am having constant attempts at port scans.

I have been evaluating for days whether to incorporate measures such as IDS/IPS but first I wanted to ask (sorry if it should be obvious).

First of all, is it normal to see all these attempts or does it mean that there is something exposed externally that should not be?

I only have 4 ports open by NAT to a single device on the LAN of P2P applications, which are also open with different ports to those used by default by the application itself and which I can also deactivate and activate when I need them.

Secondly, I would like to know if I can somehow improve the protection against these scans, either with IDS or IPS or with other tools or plugins. The learning I have gained since I started my HomeLab is growing but there are concepts and ways of working of how each packet is handled by a firewall that I still have to understand and I prefer to raise the issue to guide me towards the correct solution.

I can attach screenshots if necessary.
In a world without walls and fences, who needs windows and gates?
Today at 03:37:35 PM #1 Last Edit: Today at 05:42:14 PM by coffeecup25
Long ago I used snort because I saw similar activity. Then I researched it a bit and discovered every college kid and their mother scan the internet just for fun from all over the world. I once tracked an IP to the University of Michigan and complained about 'people trying to break into my network from there'. They nicely and politely told me what they were doing was not illegal. Scanning is not breaking in. It's frightening, but harmless if it's only scanning. Practically everyone is being scanned all the time. Kids.

One smart person later told me that if I had no open ports then I didn't need snort. Nobody had anywhere to break into with no open ports, so I should relax. My only open port later was OpenVPN, which was protected by layers of certificates. No worries there.

You have 4 ports open. You need to analyze what they open up to and how vulnerable it is. Then figure out what to do next.
Today at 03:38:00 PM #2
How exactly are these attempts logged? With the "default deny" rule? If yes, how would you improve the protection? Blocked is blocked, IDS/IPS does not add any value to that.

If you are connected to the public Internet you will be scanned via IPv4 24x7. This is normal.

You can

- disable logging of the default deny rule to get less noise
- improve the security of the applications you did open to the Internet by configuring GeoIP blocking, public block lists, or paid services like Q-Feeds or Crowdsec

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions