Doubt about IP Scans coming from WAN

Started by xmftech, December 15, 2025, 03:06:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 15, 2025, 03:06:51 PM
Good afternoon,

I am writing this thread in reference to the logs of my virtualized OPNsense on Proxmox, in which I am seeing in LiveView of the Firewall logs that I am having constant attempts at port scans.

I have been evaluating for days whether to incorporate measures such as IDS/IPS but first I wanted to ask (sorry if it should be obvious).

First of all, is it normal to see all these attempts or does it mean that there is something exposed externally that should not be?

I only have 4 ports open by NAT to a single device on the LAN of P2P applications, which are also open with different ports to those used by default by the application itself and which I can also deactivate and activate when I need them.

Secondly, I would like to know if I can somehow improve the protection against these scans, either with IDS or IPS or with other tools or plugins. The learning I have gained since I started my HomeLab is growing but there are concepts and ways of working of how each packet is handled by a firewall that I still have to understand and I prefer to raise the issue to guide me towards the correct solution.

I can attach screenshots if necessary.
In a world without walls and fences, who needs windows and gates?
December 15, 2025, 03:37:35 PM #1 Last Edit: December 15, 2025, 05:42:14 PM by coffeecup25
Long ago I used snort because I saw similar activity. Then I researched it a bit and discovered every college kid and their mother scan the internet just for fun from all over the world. I once tracked an IP to the University of Michigan and complained about 'people trying to break into my network from there'. They nicely and politely told me what they were doing was not illegal. Scanning is not breaking in. It's frightening, but harmless if it's only scanning. Practically everyone is being scanned all the time. Kids.

One smart person later told me that if I had no open ports then I didn't need snort. Nobody had anywhere to break into with no open ports, so I should relax. My only open port later was OpenVPN, which was protected by layers of certificates. No worries there.

You have 4 ports open. You need to analyze what they open up to and how vulnerable it is. Then figure out what to do next.
December 15, 2025, 03:38:00 PM #2
How exactly are these attempts logged? With the "default deny" rule? If yes, how would you improve the protection? Blocked is blocked, IDS/IPS does not add any value to that.

If you are connected to the public Internet you will be scanned via IPv4 24x7. This is normal.

You can

- disable logging of the default deny rule to get less noise
- improve the security of the applications you did open to the Internet by configuring GeoIP blocking, public block lists, or paid services like Q-Feeds or Crowdsec

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 15, 2025, 10:26:48 PM #3 Last Edit: December 15, 2025, 11:32:30 PM by xmftech
Thank you for your responses. I'm coming from HGU Mitrastar from O2 Spain and there's no logs like this. Maybe I'm suffering this from time ago but OPNsense brings more control aboust who's trying to access than ISP's router.

Open ports can be closed and open when they are needed. No problem. Having this amount of blocked connections shocked me at first, but I think it's normal since there are a lot of people acting like Script Kiddies scanning ports, and there's also a community of people that wants to access foreing systems to infect with Ransomware.

There are a some examples of my logs:

https://storage.imgbly.com/imgbly/1ESavGSJBM.png
https://storage.imgbly.com/imgbly/3gbNLC6bC3.png
https://storage.imgbly.com/imgbly/QfGScH2lcY.png
https://storage.imgbly.com/imgbly/QGRibM56FZ.png

And yes, these attemps are blocked by "default deny violation rule".

So, I think that I must consider my scenario as normal, right?

Thank you
In a world without walls and fences, who needs windows and gates?
December 15, 2025, 11:37:49 PM #4 Last Edit: Today at 12:14:42 AM by drosophila
Yes, that's perfectly normal. And also yes, the consumer routers don't even bother to create such logs, as they're not useful to their intended audience (since the average user couldn't do anything about it, anyway) and in fact more likely to cause the effect you experienced. ;)

Skimming these screenshots, there seems to be only a single instance of an actual "port scan" in the traditional sense, which is the one coming from 185.246.128.192. All others either are "trickle scans" (which is unlikely, you only use these when you have a specific mark and know they're looking out for scans) or just misdirected connection attempts by legitimate users. These come from outdated dynamic address info, which you get literally on a daily basis with IPv4 (the entire point of using DynDNS services). Most are single connects, which could be looking for one specific service to (ab)use (probably some IoT stuff, which has a high probability of being both outdated and unprotected. Maybe a botnet trying to find peers.). But then again, the ports wouldn't differ so much (IMO). If you're curious, you could try looking up these ports to see what they might be after. Or it might just be what happens when something like bittorrent is started with a cache more than a few weeks old. And then look at the guy on 45.142.193.191, several attempts to the same port (52073). Probably someone trying to connect to their buddies self-hosted game server. Or someone about to find out that their own DynDNS had failed, as happened to me more than once. :) You'd probably see a few pings afterwards the first time they experience that. ;)

So, as has been said: make certain to only have ports open that you know about, and then make certain these services are protected as good as you can manage, and also run only when they actually need to run. The really dangerous stuff would appear in green, indicating something was allowed through. So you'd filter for unexpected connection attempts to the services you do have open and check the logs of these services. You could also try to find any suspicious activity from their pattern (if there is any), and then ponder what could possibly be done to prevent that.
For a while I was wondering about the lucky chance of someone probing a port that has been opened for replies to an outgoing request, but that's why firewalls track those (this is the "state violation" part of the message). Note that if you open some port for games or such you'll not be in immediate danger when the game isn't running: the packet will be allowed into the LAN, reach your PC and then go poof. However, your system will send an ICMP error message, so the attacker knows that a system is reachable on that port, but has nothing there. So it could be used to map you out and plan an attack based on that info, but attackers are lazy and will just move on to find easier prey. Especially with your IP address changing daily, they'd lose track of you unless they are tracking your IP. In that case, you should indeed be worried, but of course you'll never know about that until it's too late (or not even then).

So, the net sure has become busier than a decade ago, but that's a given with the number of devices and people connected. More noise, and more potential victims.

Ransomware usually arrives through email. Basically, anything with an attachment definitely is, and anything without has links to either phishing or more malware. This has always been the most successful attack, and its likelihood of working against you increases with every account you create: more places to steal information from, more information to be stolen, more context to create a believable scam. Currently, there seems to be quite the success with "Payment declined: your cloud data is in immediate risk of being deleted". Of course this works better than the "African prince inheritance fund" scam, because so many people made the mistake of using cloud storage services. Yes, I think it's a liability for businesses, too.

BTW: please correct me if any of my conclusions or reasonings are flawed!
Today at 03:05:01 PM #5
Quote from: drosophila on December 15, 2025, 11:37:49 PMYes, that's perfectly normal. And also yes, the consumer routers don't even bother to create such logs, as they're not useful to their intended audience (since the average user couldn't do anything about it, anyway) and in fact more likely to cause the effect you experienced. ;)

Yes, the truth is that I was surprised by the number of scans. But I am not surprised so much that these scans exist, but rather in the sense that, if they exist, and considering that no system is perfect, additional measures must be put in place immediately afterwards. They have suggested incorporating Fail2Ban but I was looking for a plugin that could scan the packets that can bypass the blocking rule.
It is true that the home user did not understand the information provided by the logs, most do not even know how to enter the configuration, but it would not be superfluous to incorporate a simple log into each router for any technician who may need it to audit or correct any anomaly.

Quote from: drosophila on December 15, 2025, 11:37:49 PMSkimming these screenshots, there seems to be only a single instance of an actual "port scan" in the traditional sense, which is the one coming from 185.246.128.192. All others either are "trickle scans" (which is unlikely, you only use these when you have a specific mark and know they're looking out for scans) or just misdirected connection attempts by legitimate users. These come from outdated dynamic address info, which you get literally on a daily basis with IPv4 (the entire point of using DynDNS services). Most are single connects, which could be looking for one specific service to (ab)use (probably some IoT stuff, which has a high probability of being both outdated and unprotected. Maybe a botnet trying to find peers.). But then again, the ports wouldn't differ so much (IMO). If you're curious, you could try looking up these ports to see what they might be after. Or it might just be what happens when something like bittorrent is started with a cache more than a few weeks old. And then look at the guy on 45.142.193.191, several attempts to the same port (52073). Probably someone trying to connect to their buddies self-hosted game server. Or someone about to find out that their own DynDNS had failed, as happened to me more than once. :) You'd probably see a few pings afterwards the first time they experience that. ;)

In this regard, given that it is a domestic connection with dynamic IP, surely many attempts can be inherited from whoever previously had this IP assigned. While it is true that there are probably remnants of previous scans, this does not mean that IPs from Shodan "care" more, since they may have a clear intention to expose credentials. Hence, take precautions as much as possible.

Quote from: drosophila on December 15, 2025, 11:37:49 PMSo, as has been said: make certain to only have ports open that you know about, and then make certain these services are protected as good as you can manage, and also run only when they actually need to run. The really dangerous stuff would appear in green, indicating something was allowed through. So you'd filter for unexpected connection attempts to the services you do have open and check the logs of these services. You could also try to find any suspicious activity from their pattern (if there is any), and then ponder what could possibly be done to prevent that.
For a while I was wondering about the lucky chance of someone probing a port that has been opened for replies to an outgoing request, but that's why firewalls track those (this is the "state violation" part of the message). Note that if you open some port for games or such you'll not be in immediate danger when the game isn't running: the packet will be allowed into the LAN, reach your PC and then go poof. However, your system will send an ICMP error message, so the attacker knows that a system is reachable on that port, but has nothing there. So it could be used to map you out and plan an attack based on that info, but attackers are lazy and will just move on to find easier prey. Especially with your IP address changing daily, they'd lose track of you unless they are tracking your IP. In that case, you should indeed be worried, but of course you'll never know about that until it's too late (or not even then).

In my case the exposed ports are from P2P applications. They are not from games or anything else. Which means that I can even disable them and enable them again when I need them since I have control of the Firewall myself. This would allow me to analyze the erroneous attempts more slowly and filter the open ports when I have more time to analyze.

Quote from: drosophila on December 15, 2025, 11:37:49 PMSo, the net sure has become busier than a decade ago, but that's a given with the number of devices and people connected. More noise, and more potential victims.

Of course, I have IoT devices that I need to review. Home Assistant is implemented so that in the long run everything will be under local control, but there are some devices that still connect to the manufacturer's cloud and therefore expose part of the system. Hence the intention (not yet implemented) to isolate IoT devices in a separate VLAN as I have done with the Management VLAN for managing Proxmox Hosts and other devices at the administrative level. For me, it is the best way to segment and isolate.

Quote from: drosophila on December 15, 2025, 11:37:49 PMRansomware usually arrives through email. Basically, anything with an attachment definitely is, and anything without has links to either phishing or more malware. This has always been the most successful attack, and its likelihood of working against you increases with every account you create: more places to steal information from, more information to be stolen, more context to create a believable scam. Currently, there seems to be quite the success with "Payment declined: your cloud data is in immediate risk of being deleted". Of course this works better than the "African prince inheritance fund" scam, because so many people made the mistake of using cloud storage services. Yes, I think it's a liability for businesses, too.

The cases of Ransomware experienced by third-party companies during my working life activate caution with unknown sources. All accounts that can be compromised with MFA and random passwords of at least 20 self-generated characters, local password manager with access via VPN or local, never from the WAN. And obviously the certainty that princely inheritances do not touch and that if it is necessary to update bank data, for example, the entity must request a visit to an office in person. I think what happens with most people is that they see computing as the use of another household appliance and that they are not aware of the danger of identity theft or data theft with which to blackmail. Although, due to many preventive measures, we are all human and can fall for scams, I think that in this aspect I am sufficiently aware. My concern is more about implementing effective additional protections than believing that in an interconnected world an operator router is sufficient to protect an infrastructure.

Quote from: drosophila on December 15, 2025, 11:37:49 PMBTW: please correct me if any of my conclusions or reasonings are flawed!
In a world without walls and fences, who needs windows and gates?
Print
Go Up Pages1
User actions