Port Scan

Post Reply
ploteus
Junior Member
Posts: 2
Joined: 27 Jan 2023, 08:26

Port Scan

Post by ploteus »

Hello!
I have set the port scan function to below on Debian 10:
PS_INTERVAL = 60
PS_LIMIT = 20
seems to consider all 443 connections as new connections and ban the client Any idea why this might be?
Hello!

Time: Thu Jan 26 16:51:58 2023 +0100
IP: 195.38.120.xxx
Hits: 21
Blocked: Temporary Block for 3600 seconds [PS_LIMIT]

Sample of block hits:
Jan 26 16:51:13 server kernel: [676129.460737] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:4xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=20217 DF PROTO=TCP SPT=43877 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:21 server kernel: [676137.687762] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=36117 DF PROTO=TCP SPT=47518 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:21 server kernel: [676137.702223] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=55334 DF PROTO=TCP SPT=47538 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:21 server kernel: [676137.703707] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=26193 DF PROTO=TCP SPT=47526 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:21 server kernel: [676137.709743] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=33120 DF PROTO=TCP SPT=47554 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:23 server kernel: [676139.191808] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=60353 DF PROTO=TCP SPT=50326 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:25 server kernel: [676141.204881] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=48296 DF PROTO=TCP SPT=41685 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:28 server kernel: [676144.533986] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=15120 DF PROTO=TCP SPT=41739 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:33 server kernel: [676149.201303] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=57948 DF PROTO=TCP SPT=42755 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:33 server kernel: [676149.210265] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=30318 DF PROTO=TCP SPT=42762 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:33 server kernel: [676149.211646] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=48246 DF PROTO=TCP SPT=42763 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:35 server kernel: [676151.188533] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=48993 DF PROTO=TCP SPT=43308 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:37 server kernel: [676153.844570] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=65113 DF PROTO=TCP SPT=42000 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:39 server kernel: [676155.864519] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=65114 DF PROTO=TCP SPT=42000 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:44 server kernel: [676160.463894] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=12529 DF PROTO=TCP SPT=52270 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:44 server kernel: [676160.471034] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=63613 DF PROTO=TCP SPT=52294 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:45 server kernel: [676161.213904] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19755 DF PROTO=TCP SPT=44782 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:47 server kernel: [676163.189687] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=61280 DF PROTO=TCP SPT=45341 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:49 server kernel: [676165.207419] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=19296 DF PROTO=TCP SPT=45540 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:51 server kernel: [676167.191354] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=20479 DF PROTO=TCP SPT=45536 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Jan 26 16:51:55 server kernel: [676171.610614] Firewall: *Port Flood* IN=enp7s0 OUT= MAC=04:xx0 SRC=195.38.120.xxx DST=157.xx.xx.xx.xx LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=57870 DF PROTO=TCP SPT=46518 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Port Scan

Post by Sergio »

Do you trust IP: 195.38.120.XXX?
Do you have port 443 opened in your FireWall?
Does your server has a valid SSL for HTTPS?

That IP is trying to connect to your HTTPS but your firewall is blocking it.
For what it shows, there are so many attempts on a very short time period, it could be considered as an attack and your FireWall is doing its job blocking the IP.
ploteus
Junior Member
Posts: 2
Joined: 27 Jan 2023, 08:26

Re: Port Scan

Post by ploteus »

You have confused CT_Limit with PS_LIMIT. 21 connections is not a lot at CT_LIMIT
But that was not the question. :)
Post Reply