Port scans are used for both good and bad reasons. If you’re trying to protect a server, scanning all the ports will tell you what ports are open and responding. That way, you can take the necessary steps to secure those ports. If your running a web server, you obviously don’t have to worry about those particular ports.
Some hackers use port scans to find out what ports are open to attack. If you neglect to secure your SSH, FTP and mail servers properly, they become primary hacker targets. There are multiple ways to make sure port scans won’t help them at all.
I mentioned moving services to other ports when I wrote about hardening my server, but I no longer think it’s necessary. It doesn’t hurt to move them and I haven’t moved mine back to their original ports. I’m lazy.
Again, I wrote about it when I wrote about hardening my server. Unfortunately, it’s easy to lock yourself out if you get a new IP address from your ISP and it’s not allowed.
I use Webmin as my control panel and I can edit the allow file from there if I can’t connect by SSH.
Limiting your allow file to the subnets you connect to the Internet with will block most port scans. The only ones that can get through are the ones within the allowed subnets.
If a port scan reveals your SSH server, it won’t do the attacker any good if it’s impossible to log in. Securing that port is simple – disable root access and use only public key authentication.
Use TLS with an FTP server and disable root access. Other application servers should be treated like your SSH and FTP servers as much as possible.
If you disable root access, only super users can log in. If you’re using TLS/SSL for every connection, hackers have to get two pieces of information instead of one. The first is the user name and the second is the password. Unless you expose the user name, it will take forever to find out both the user name and the password. And this is only from the allowed subnets.
I use the ConfigServer Security & Firewall (CSF) application from within Webmin to automatically block automated port scans for 24 hours.
I only need to block the automated port scans coming from the allowed subnets but I can’t fine-tune CSF to ignore the rest. It’s an all or nothing process. It’s okay, though, because blocking port scans on a port that’s already blocked doesn’t hurt anything.
CSF is blocking 300+ IP addresses per day for me. I have it set to block after two scans. Imagine how many scans will take place if I don’t block them at all.
I don’t like to take chances. A server can only accept a certain amount of connections per second. I want people to visit my websites and they can’t do that if something like automated port scans eat up all the connections.
By: RT Cunningham
January 28, 2017
Previous and Next Articles: