On Fri, Dec 22, 2017 at 08:33:23PM +0000, Glenn English wrote: > Debian Squeeze (?) very old anyway, Dell server, Juniper SSG5 > firewall. 1,000 miles away. > > I've started getting email from the firewall down there saying that it > detected a port scan. Often enough of them to concern me -- several > times a day. > > -- One just came in. Another 4 hours ago. From different IPs, from > different (RIPE) countries. -- > > Is there any way to stop them? AFAIK, there isn't. I sure can't think of a > way. > > The 'JuniperUsers list' says to talk to my upstream ISP. But I don't > see how that would help if they can't do anything either (they also > use Juniper). > > The firewall blocks them after it sees 10 hits from the same IP in > 5000 microseconds. But by then Nmap (or eq) has hit 10 ports. > > Am I overly paranoid here? What if a non-script-kiddie is also doing > this, but slowly enough that the firewall doesn't detect it?
This is part of the background noise of the Internet. What you can do: - make sure your firewall only allows in new connections that you actually want. - rate limit new connections. - run fail2ban or similar detect-and-block scanners on the ports that you have open. In addition to the basic config, I recommend a perma-ban list for IPs that hit you repeatedly over long periods of time. And always keep your whitelist up to date - keep up to date with security related packages -dsr-
