Port Scanning robots

Discussion in 'Tomato Firmware' started by radionerd, May 29, 2013.

  1. radionerd

    radionerd Networkin' Nut Member

    My router has been getting hammered by port scanner robots for a while. Several IP's from China have been port scanning me daily for months. They sometimes scan a dozen ports in less than a second. Some scanners rotate to different IP's. Most are from China, but not all.

    I wonder if someone has ever built a script that could trigger a timed IP ignore list? When the IP scans a commonly scanned “trigger” port. This dream script would trigger on specific ports that could be added by the user. Some ports that get scanned: 21,23,139,5900,8008,9000,9090,9100, and SPT=12200. The naughty robot scans a trigger port, then his IP is put into timeout, ignored for a while. One log entry is generated “Port Scanner put into timeout” for a time like an hour. Once timeout is over a log entry like “ Port scanner timeout expired”. Wet dream script could add the IP to a blocked list. I know, I'm totally dreaming now ;-)

    Something like this could possibly keep the robot from landing on open ports, save cpu from creating hundreds on log entry’s, and mostly create smiles when a log entry is read “Sit in the time out chair for 3600”. I found a script here that I think does some of this.

  2. ryzhov_al

    ryzhov_al Addicted to LI Member

    I see RT-N66U on avatar:) There will be no problem for using ipset to block port scan from China, here is my how-to.
  3. radionerd

    radionerd Networkin' Nut Member

    Thank you, I have followed your thread, and have considered trying it. Now I will give it a try :)
    Will add some Ru block, and some Texas block too;-)
  4. ryzhov_al

    ryzhov_al Addicted to LI Member

    My example blocks incoming connection to router (INPUT iptables chain) and not blocks connections form clients behind a router (FORWARD chain). So port scanning will blocked from China, but Chinese sites will be stay available for LAN clients (Russian too;-)
  5. Aleksazhko

    Aleksazhko Reformed Router Member

    Does it require additional resources of CPU&RAM permanently? Or it runs only in case of admin's access attempt?
  6. Aleksazhko

    Aleksazhko Reformed Router Member

    Could anyone explain? Bump for Great Justice!
  7. phuque99

    phuque99 LI Guru Member

    What ports (forwarded and incoming) do you have opened on the router? If bots are scanning non-open ports, it is a non-issue because traffic is dropped automatically by the router.
  8. ntest7

    ntest7 Network Guru Member

    Here's a little script I use to "blacklist" WAN ports. Any connection to a banned port blocks the client for an hour. This should work on any non-ancient tomato. This only blocks on scans from the WAN/internet, local/LAN users can do what they please.

    Note that port scanning on the internet is a fact of life, and someone scanning a closed port can't hurt you. So while this script may make me feel better, it's actual security value is debatable. The counter argument is that a scanner has demonstrated bad intentions, so blocking them completely is a good thing.

    And it's fun to watch the logs. I've got ~20 sites with either cable or DSL connections. Most sites block less than 5 scans/day, but a couple lucky ones consistently block over 100 scans/day.

    Paste this into the Scripts->Firewall page.

    # block port scanners for a while
    iptables -I INPUT  -m recent --name portscan --remove
    iptables -I INPUT  -m recent --name portscan --rcheck --seconds 3600 -j DROP
    iptables -I FORWARD -m recent --name portscan --remove
    iptables -I FORWARD -m recent --name portscan --rcheck --seconds 3600 -j DROP
    # blacklisted ports. Adjust as needed.
    iptables -A INPUT  -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan: "
    iptables -A INPUT  -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
    iptables -A INPUT  -p tcp -m tcp --dport 23 -m recent --name portscan --set -j LOG --log-prefix "Portscan: "
    iptables -A INPUT  -p tcp -m tcp --dport 23 -m recent --name portscan --set -j DROP
    iptables -A INPUT  -p tcp -m tcp --dport 445 -m recent --name portscan --set -j LOG --log-prefix "Portscan: "
    iptables -A INPUT  -p tcp -m tcp --dport 445 -m recent --name portscan --set -j DROP
    Aleksazhko likes this.
  9. Aleksazhko

    Aleksazhko Reformed Router Member

    Many-many thanks! Unfortunatelly, i'm not strong nix guru for now.
    Does your script open listed ports? I guess yes, because it needs to hear someone's scan. So i need to add some ports like 21,22 and several others plus not to use these ports for my own prurposes?
    Actually i've portmapped some another ports like 24, 40, 888, 1403, 8585 and many others for my internal services.
    And now, even if those services may content any known by bad man vulnerabilities, bad man will meet with banhummer before he touches my opened ports.
  10. Aleksazhko

    Aleksazhko Reformed Router Member

    so, my list of ports causing banhummer looks this way:
    21, 22, 25, 25, 80, 111, 137, 139, 443, 445, 3306, 3389, 4899

    Is it ok?

    firstly i added 8080, but then i've excluded this one because it caused 4 records per one hour
  11. ntest7

    ntest7 Network Guru Member

    Yes, the iptables commands open the ports, no additional commands are necessary. (although the ports must be open to listen for connections, a portscan will show them closed because the scanner gets blocked)

    Feel free to add or change the ports monitored as you see fit. I used to monitor many more ports, but simplified the list to the most frequently abused ports here. I wouldn't be surprised if different areas see different abuse patterns.
  12. Aleksazhko

    Aleksazhko Reformed Router Member

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice