Some of our users are launching port scans on Internet servers. These users connect to our servers using ssh and openvpn. We obviously suspend their accounts where appropriate however I'd like to find a technical solution that either prevents the scan or discourages them (e.g. by slowing it down). Obviously psad is designed to be used to scan the logs of servers being attacked however is it possible to use it to detect port scans on the originating server? i.e. could I create a set of rules on our server that would mimic the logs generated on the receiving server and point psad at it?

The best solution I have come up with is to use the 'recent' module but it still blocks a lot of legitimate traffic.

 # Log suspected port scanners
iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent --name port_scan --rcheck --seconds 10 --hitcount 30 -j LOG --log-prefix 'PORT SCANNER(?): '

# Drop connections where packets > 29 in 10 second period.
iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent --update --name port_scan --seconds 10 --hitcount 30 -j DROP

# Allow and add the source address of the packet to the port_scan list
iptables -A Limit_Pscan -p tcp --syn -m state --state NEW -m recent --set --name port_scan


Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
psad-discuss mailing list

Reply via email to