After thinking about it (yes, it hurt) earlier today, I realized I only need to block port scans from the Philippines. Even though I only need to focus on the subnets my IP addresses come from, it doesn’t hurt to block them all. I don’t get a lot of port scans from the Philippines. My cron-enabled PHP script found less than 50 in the logs for the last two days.
I restrict my SSH and FTP servers and my Webmin control panel to the subnets I connect to. With SSH, I have to log in as a regular user using a private key and then “sudo” to become root. Root login is disabled and password login is disabled. With FTP, it’s about the same. I can’t login as root.
Although there isn’t a way to get into any of my software servers because the user name I use isn’t publicly available, someone could get lucky. If a port scan finds the ports I moved them to, I’ll have to deal with dictionary attacks. It’s better to keep the port scanners at bay, regardless of how few they are.
I see port scans from all kinds of places when I look through the system logs. Places that never view a single page on my website. None of them can connect to an open port unless it’s the web server or they’re from one of my subnets. There are only six open ports.
Blocking IP address ranges at the web server works to keep the unwanted bots at bay, but IP address blocking at the firewall is more effective. I can block all ports instead of just the web server ports.
Blocking connections by user agent is simple enough, but some entities cloak their connections. I shouldn’t have to mention China, Russia and Ukraine, but they do it a lot.
I prefer blocking IP address ranges at the web server. I’ve screwed up the firewall (iptables) more times than I can remember.
By: RT Cunningham
April 11, 2017
Previous and Next Articles: