How to mitigate port scan attacks

    Hello, after resolving certain DDoS attacks on DNS services, I have
    seen that are trying to attack my server type scan techniques, have met
    with the following:



    Install the "portsentry" tool:
    # apt-get or aptitude install portsentry


    Modify the configuration file:
    # Nano /etc/portsentry/portsentry.conf



    In the section "Ignore Options", uncomment the following:


    # BLOCK_UDP = "0"
    # BLOCK_TCP = "0"


    by


    BLOCK_UDP = "1"
    BLOCK_TCP = "1"


    Save the file and walked out.


    Restart the service:
    # /etc/init.d/portsentry Restart



    Check the log:
    #cat / var / log / syslog | grep attack


    3:18:38 ns1 portsentry October 4 [3019]: attackalert: Connect from host: 185.94.111.1/185.94.111.1 to UDP port: 161
    3:18:38 ns1 portsentry October 4 [3019]: attackalert: 185.94.111.1Host has-been blocked via wrappers with string: "ALL: 185.94.111.1:DENY"
    3:18:38 ns1 portsentry October 4 [3019]: attackalert: 185.94.111.1Host has-been blocked route via dropped using command "/ sbin / routeadd -host 185.94.111.1 reject"
    5:48:03 ns1 portsentry October 4 [3019]: attackalert: Connect from host: 52.11.245.77/52.11.245.77 to UDP port: 54321
    5:48:03 ns1 portsentry October 4 [3019]: attackalert: 52.11.245.77Host has-been blocked via wrappers with string: "ALL: 52.11.245.77:DENY"
    5:48:03 ns1 portsentry October 4 [3019]: attackalert: Host has-beenblocked 52.11.245.77 dropped via route using command "/ sbin / route add-host 52.11.245.77 reject"
    9:04:19 ns1 portsentry October 4 [3015]: attackalert: Connect from host: 139.162.187.232/139.162.187.232 to TCP port 11
    9:04:19ns1 portsentry October 4 [3015]: attackalert: 139162187232 Host has-been blocked via wrappers with string: "ALL: 139162187232: DENY"


    In the file "hosts.deny", we can see the IP that were blocked.



    #cat or nano /etc/hosts.deny


    ALL: 47.197.167.26: DENY
    ALL: 168.1.128.36: DENY
    ALL: 184.73.98.190: DENY
    ALL: 168.1.128.52: DENY
    ALL: 5.39.218.246: DENY
    ALL: 216.244.87.10: DENY
    ALL: 95.215.60.214: DENY
    ALL: 45119208111: DENY
    ALL: 216.218.206.66: DENY
    ALL: 93.158.215.57: DENY
    ALL: 74.82.47.53: DENY
    ALL: 190.232.179.83: DENY
    ALL: 169.54.244.93: DENY
    ALL: 72251244205: DENY
    ALL: 207.244.96.136: DENY
    ALL: 93.174.93.100: DENY
    ALL: 89.248.168.6: DENY
    ALL: 169.54.233.118: DENY
    ALL: 71.6.146.186: DENY
    ALL: 169.54.233.121: DENY
    ALL: 69164201113: DENY
    ALL: 43241237177: DENY
    ALL: 163.172.129.15: DENY
    ALL: 198148116133: DENY
    ALL: 164.132.99.67: DENY
    ALL: 120.52.20.137: DENY
    ALL: 120.52.20.138: DENY
    ALL: 92.222.78.92: DENY
    ALL: 184.105.139.94: DENY
    ALL: 204.42.253.130: DENY
    ALL: 209.126.136.2: DENY
    ALL: 184.105.139.67: DENY
    ALL: 185.94.111.1: DENY
    ALL: 52.11.245.77: DENY
    ALL: 139162187232: DENY


    There is another tool called psad.


    Greetings, I hope will be helpful to the community. :thumbsup:


    Sorry for my English. :D

    @Mario


    Please fix your thread by using bbcode where needed.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

    SSH key for online support