RT Cunningham


Reduced Port Scan Blocking on My Hardened Virtual Server

port scan In August of 2016, I wrote about hardening my VPS. In January of 2017, I wrote about blocking port scans. I don’t need to do a lot of port scan blocking. I’ll explain.

After thinking about it (yes, it hurt) earlier today, I realized I only need to block port scans from the Philippines. Even though I only need to focus on the subnets my IP addresses come from, it doesn’t hurt to block them all. I don’t get a lot of port scans from the Philippines. My cron-enabled PHP script found less than 50 in the logs for the last two days.

The Port Scan Blocks Fill in the Gaps

I restrict my SSH and FTP servers and my Webmin control panel to the subnets I connect to. With SSH, I have to log in as a regular user using a private key and then “sudo” to become root. Root login is disabled and password login is disabled. With FTP, it’s about the same. I can’t login as root.

Although there isn’t a way to get into any of my software servers because the user name I use isn’t publicly available, someone could get lucky. If a port scan finds the ports I moved them to, I’ll have to deal with dictionary attacks. It’s better to keep the port scanners at bay, regardless of how few they are.

I see port scans from all kinds of places when I look through the system logs. Places that never view a single page on my website. None of them can connect to an open port unless it’s the web server or they’re from one of my subnets. There are only six open ports.

Port Scan Blocking for Other Reasons

Blocking IP address ranges at the web server works to keep the unwanted bots at bay, but IP address blocking at the firewall is more effective. I can block all ports instead of just the web server ports.

Blocking connections by user agent is simple enough, but some entities cloak their connections. I shouldn’t have to mention China, Russia and Ukraine, but they do it a lot.

I prefer blocking IP address ranges at the web server. I’ve screwed up the firewall (iptables) more times than I can remember.

Share: Facebook | Twitter

By RT Cunningham
April 11, 2017