Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 2 answers
  • Subscribers 43 subscribers
  • Views 6445 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port scan Detection XG18

Anthony Anderson

Hello, 

While looking for a way to enable port scan detection on my XG18, all I can find is articles from years ago on how to configure it on the UTM. Are their any recent articles detailing how to be notified of this sort of scanning? You would think it wouldn't be this difficult to set up alerts for this sort of red flag! 



This thread was automatically locked due to age.
Parents
  • 0

    Are you talking about the WAN port of the appliance? There is no direct port scan detection, but this recent posting might be helpful. Basically you can look at the Firewall log (on-device, in Sophos Central, or output to your own log server) for Appliance Access refusals.

    It might also be possible to request these log entries via the API, but I've not used the API before.

    If you're talking about port scanning on your internal network, I don't have a solution. I do have a guest network and a work-from-home network and I've set both to isolate each device from the other, and I know that broadcasts on those networks show up as Appliance Access rejection messages in the Firewall log, similar to WAN accesses.

  • 0 in reply to Wayne Folta

    I took a look and although a good tool, it's not what I'm looking for. Thank you very much for spending your time to look for a solution though.

  • 0 in reply to Anthony Anderson

    You're welcome. I don't think you'll find such a tool that actually works because "port scanning" is ill-defined. That is, a port scanning tool need not hit lots of ports, nor hit them rapidly -- the typical "port scan". In fact, you could do a distributed port scan, testing one port a day from each machine and only testing a limited subset of ports with known vulnerabilities. Not sure that an automated tool would detect that.

  • 0 in reply to Wayne Folta

    According to this article, they have it on the UTM. Sophos UTM: What is portscan detection?

    Why would they discontinue it or not integrate into the XG18??

  • 0 in reply to Anthony Anderson

    Right, but would it actually do what you want it to do? Like I said, there's brute force port scanning -- hit all the ports in rapid succession from a single machine -- and then there are much more subtle methods. Does their tool detect all of them? I honestly don't know, but I'm skeptical. The logs can tell you what IPs hit whatever WAN ports you want to look at.

    For example, I recently compiled this list of WAN ports that had been hit in the last month on my XGS:

    Protocol  Dest Port Service       Hits
TCP       23        Telnet        7127
TCP       65002     Game          3264
TCP       8080      HTTP          3260
ICMP      -         -             3235
TCP       22        SSH           3231
TCP       65004     Game          2843
GRE (47))  -        -             2701
UDP       5060      SIP           1769
UDP       67        BOOTP         1727
TCP       2375      Docker REST   1683
TCP       2376      Docker REST   1561
TCP       3389      RDP           1267
TCP       81        Tor           1239
TCP       5555      ?             1186
UDP       123       NTP           1076
TCP       445       SMB and AD    1042
UDP       53        DNS            844
TCP       10443     ?              770
UDP       389       LDAP           724
UDP       16393     RTP            700
TCP       4200      ?              628
TCP       3128      Squid          620
TCP       8545      ?              577
TCP       8081      ?              497
TCP       1433      MSSQL          489
TCP       6379      Redis          469
UDP       137       NetBIOS        451
UDP       1900      uPnP           450
TCP       5038      ?              438
TCP       9000      Lots-o-stuff   416
TCP       5900      VNC            415
TCP       9200      ElasticSearch  401
TCP       8888      Jupyter etc    395
UDP       161       SNMP           387
TCP       60001     Mosh (SSH)     371
TCP       11211     memcached      358
TCP       2323      ?              350
TCP       4243      Docker         329
TCP       4244      Viber          323
TCP       2377      Docker Swarm   322
TCP       21        FTP            311

  • 0 in reply to Anthony Anderson

    Note their rule, which would detect a naive user using a port scan tool with default settings, but not more sophisticated scans. I'd guess they didn't include it because it's simplistic and could give a false sense of security.

    A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The calculation of the detection score is as follows:
     

    • Scan of a TCP destination port less than 1024: 3 points
    • Scan of a TCP destination port greater or equal 1024: 1 point
    • Scan of ports 11, 12, 13, 2000: 10 points
Reply
  • 0 in reply to Anthony Anderson

    Note their rule, which would detect a naive user using a port scan tool with default settings, but not more sophisticated scans. I'd guess they didn't include it because it's simplistic and could give a false sense of security.

    A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The calculation of the detection score is as follows:
     

    • Scan of a TCP destination port less than 1024: 3 points
    • Scan of a TCP destination port greater or equal 1024: 1 point
    • Scan of ports 11, 12, 13, 2000: 10 points
Children
Unfiltered HTML