Counting remote accessed hosts

[FlorinMarian]

Hello!
I own a hosting company and I often face the situation where my clients using weak passwords end up being broken and at the same time my VPSs become the source of scans on other hosting companies.
I managed to block through Suricata the situation in which a client scans a certain IP address for several ports or several passwords for the SSH port.
What I fail to do is prevent a client from sending TCP or UDP packets to detect on a subnet /24 which IP addresses have port 22 or another specific port open.
I recently tried iptables using the "hashlimit" module but from what I've tested, hashlimit doesn't make the difference between accessing 3 times the same 4 IP addresses in the last x seconds and accessing 12 different IP addresses in the same time frame.
Any help is welcome.
Thanks!

 

[oguz]

What I fail to do is prevent a client from sending TCP or UDP packets to detect on a subnet /24 which IP addresses have port 22 or another specific port open.

you can write a rule for suricata, something along the lines of this:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

(taken from [0])

for your case you can adjust the count and seconds for the threshold, and you'll have to swap the $EXTERNAL_NET and $HOME_NET (since you're trying to detect outbound scans).

though be aware that there are definitely ways to get around these filters, for example by running a slower and more patient scan. therefore i wouldn't depend on it too much.

[0]: https://rules.emergingthreats.net/open/suricata/rules/emerging-scan.rules