Prevent port scanning from KVM to internet

FlorinMarian

Active Member
Nov 13, 2017
69
2
28
27
Hi, there!
I would like to know if exists such a solution to implement at host level any kind of software to detect users who are using our IPs for port scanning and brute forcing servers over the internet.
Unfortunately we're very close to lose our leased /24 subnet and we need such a solution to avoid this situation.
Any tip is welcome.
Thank you!
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
5,207
676
118
hi,

I would like to know if exists such a solution to implement at host level any kind of software to detect users who are using our IPs for port scanning and brute forcing servers over the internet.
port scans would trigger a lot of packets to large number of ports on different hosts.

detection methods can be anything from monitoring for simple thresholds and patterns, (e.g. number of ports connected to from a single origin over a period of time), to anomaly models based on expected network behavior.

Any tip is welcome.
i've heard of:
* scanlogd (around for a long time)
* sentry tools (portsentry, logsentry, hostsentry etc.)
* IDS/IPS systems like suricata or snort (both are open source as well)

hope this helps!
 
Last edited:
  • Like
Reactions: FlorinMarian

FlorinMarian

Active Member
Nov 13, 2017
69
2
28
27
hi,


port scans would trigger a lot of packets to large number of ports on different hosts.

detection methods can be anything from monitoring for simple thresholds and patterns, (e.g. number of ports connected to from a single origin over a period of time), to anomaly models based on expected network behavior.


i've heard of:
* scanlogd (around for a long time)
* sentry tools (portsentry, logsentry, hostsentry etc.)
* IDS/IPS systems like suricata or snort (both are open source as well)

hope this helps!
Thank you for help!
Suricata seems promising.
Anyone have idea where I can find rules to defend outbound SSH brute force & port scanning?
Thank you!
 

oguz

Proxmox Staff Member
Staff member
Nov 19, 2018
5,207
676
118
Anyone have idea where I can find rules to defend outbound SSH brute force & port scanning?
for example:
Code:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

from [0] (they have a bunch of other ones there). the rule here should be matching a TCP SYN scan (flags:SF,12)

[0]: https://github.com/jpalanco/alienva...ules/1.3.1/emerging.rules/emerging-scan.rules
 
  • Like
Reactions: FlorinMarian

FlorinMarian

Active Member
Nov 13, 2017
69
2
28
27
for example:
Code:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

from [0] (they have a bunch of other ones there). the rule here should be matching a TCP SYN scan (flags:SF,12)

[0]: https://github.com/jpalanco/alienva...ules/1.3.1/emerging.rules/emerging-scan.rules
Isn't this rule for inbound traffic?
 

FlorinMarian

Active Member
Nov 13, 2017
69
2
28
27
Hello!
Does anyone have any idea if the maximum number of external connections to a certain port can be controlled from the proxmox Firewall or from Suricata, but without saying which port it is?
Automatically track external connections for each port in order to discover the scans coming from my clients depending on the port.
Solving this for port 22 alone is not a solution, unfortunately.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!