PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
We'd love to hear about it! Click here to go to the product suggestion community
I'm currently using the home version of Sophos XG and was wondering if there is a way to block port scans? I know that UTM has the ability for anti-portscans, but does XG have this capability as well?
In reply to Billybob:
Here is a KB about how portscan actually works in UTM 7 and 8 https://community.sophos.com/kb/en-us/115153 Looks like the mechanism is a little smarter than I thought. It weighs different connection attempts and then blocks the connection after a certain threshold.
A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The detection score is calculated as follows:Scan of a TCP destination port less than 1024: 3 pointsScan of a TCP destination port greater or equal 1024: 1 pointScan of ports 11, 12, 13, 2000: 10 points
Here are the portscan rules in UTM9 for example but multiple rules are combined to achieve what is mentioned in the KB article above.
gatekeeper:/home/login # iptables -L PSD_ACTION -vChain PSD_ACTION (1 references) pkts bytes target prot opt in out source destination 0 0 NFLOG all -- any any anywhere anywhere limit: avg 5/sec burst 5 LOGMARK match 60017 nflog-prefix "PORTSCAN: " 0 0 DROP all -- any any anywhere anywhere
gatekeeper:/home/login # iptables -L PSD_ACTION -v
Chain PSD_ACTION (1 references)
pkts bytes target prot opt in out source destination
0 0 NFLOG all -- any any anywhere anywhere limit: avg 5/sec burst 5 LOGMARK match 60017 nflog-prefix "PORTSCAN: "
0 0 DROP all -- any any anywhere anywhere
gatekeeper:/home/login # iptables -L PSD_MATCH -vChain PSD_MATCH (2 references) pkts bytes target prot opt in out source destination 0 0 PSD_ACTION all -- eth1 any anywhere anywhere -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 1
Is portscan detection planned for v17?
In reply to FormerMember:
I guess it is planned somewhere later v17. V17 souls now be ready or almost. Feature request is not even considered or planned on the ideas website.
In reply to lferrara:
Isn't this a big security vulnerability?
it is not a security vulnerability but is one security countermeasure missing.
Vulnerability has a different meaning!
I was shocked too when I discovered that Anti-port scan was missing but....no update since then!
And the other strange thing is that users discovered this missing feature...even in Sophos they forgot to add it!
The feature is not considered yet , to promote this feature I would encourage you to add a Vote to this feature to make it available for the future release.
In reply to Aditya Patel:
Hi aditya and thanks for the reply. As lferrara mentioned earlier in the thread, a feature request for such a basic feature is like requesting NAT on a router. I think there needs to be a feature request to bring all the basic UTM features into XG. Everyone will vote for it and I think it will cover most of the feature requests pending for XG
is it a big problem for security not to have anti portscan?
I think so, what do you think about?
Meghan is another of the puzzle missing. More layers you have, more safe you have. So XG is missing another piece....however relying on one product to achieve security is absolutely wrong! A bug mistake that many security admins do.
it's true, but I don't have so much experience.
What for a security principe do you recommend, so wich software/hardware products do you use/recommend for one network with no servers, only clients?
Meghan if you have only clients, is firewall should be turned on with no exceptions because connections start from clients to servers and not viceversa. Close all the ports and you will be safe from external attacks. Having Windows Firewall on even on computers will prevent malware from jumping from one computer to another because ports are closed.
The story is long. Enroll a Security Architect if you need advanced security advices. Send me a PM if you need and we can arrange something!
I thought I would revive this thread, seems to have been dormant for a while now!
I think this is a require counter measure, in the arena of security, so admins can tell if there are any potential probes being performed.
Also as a UTM user, this is essential when there is a server out on the 'wild internet', it is invaluable for information about who is trying to interrogate your server.
I have just voted for this feature, as it is a requirement for our arsenal of tools available for these pesky .... (ooh i feel like I am on scooby doo...lol)