This article details the uses of Portscan detection and steps to enable it. The following sections are covered:
Applies to the following Sophos products and versions Sophos UTM
Portscans are used by hackers to probe secured systems for available services. To intrude into a system or to start a Denial of Service (DoS) attack, attackers need information on network services. If this information is available, attackers might take advantage of the security deficiencies of these services.
Network services using the TCP and UDP Internet protocols can be accessed via special ports, and this port assignment is generally known, for example, the SMTP service is assigned to the TCP Port 25. Ports that are used by the services are referred to as open since it is possible to establish a connection to them, whereas unused ports are referred to as closed; every attempt to connect with them will fail.
The attacker tries to find the open ports with the help of a particular software tool, a port scanner. This program tries to connect with several ports on the destination computer. If it is successful, the tool displays the relevant ports as open and the attacker has the necessary information, showing which network services are available on the destination computer.
Since there are 65535 distinct and usable port numbers for the TCP and UDP Internet protocols, the ports are scanned at very short intervals. If the firewall detects an unusually large number of attempts to connect to services, especially if these attempts come from the same source address, the firewall is most likely being port scanned. If an alleged attacker performs a scan of hosts or services on your network, the portscan detection feature will recognize this. As an option, further portscans from the same source address can be blocked automatically. A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The detection score is calculated as follows:
To enable portscan detection, proceed as follows:
Logs can be found at Logging & Reporting > Intrusion Prevention System. From the command line they can be found at /var/log/ips.log.
When a portscan is detected the log will display like the example below:
2017:05:03-12:42:22 testutm ulogd[30055]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" srcmac="00:1a:8c:45:52:71" dstmac="00:1a:8c:40:77:cd" srcip="200.208.201.229" dstip="101.109.201.228" proto="6" length="60" tos="0x00" prec="0x00" ttl="63" srcport="57972" dstport="14" tcpflags="SYN"
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.