Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port scan Detection XG18

Hello, 

While looking for a way to enable port scan detection on my XG18, all I can find is articles from years ago on how to configure it on the UTM. Are their any recent articles detailing how to be notified of this sort of scanning? You would think it wouldn't be this difficult to set up alerts for this sort of red flag! 



This thread was automatically locked due to age.
Parents
  • Are you talking about the WAN port of the appliance? There is no direct port scan detection, but this recent posting might be helpful. Basically you can look at the Firewall log (on-device, in Sophos Central, or output to your own log server) for Appliance Access refusals.

    It might also be possible to request these log entries via the API, but I've not used the API before.

    If you're talking about port scanning on your internal network, I don't have a solution. I do have a guest network and a work-from-home network and I've set both to isolate each device from the other, and I know that broadcasts on those networks show up as Appliance Access rejection messages in the Firewall log, similar to WAN accesses.

  • I took a look and although a good tool, it's not what I'm looking for. Thank you very much for spending your time to look for a solution though.

  • According to this article, they have it on the UTM. Sophos UTM: What is portscan detection?

    Why would they discontinue it or not integrate into the XG18??

  • Right, but would it actually do what you want it to do? Like I said, there's brute force port scanning -- hit all the ports in rapid succession from a single machine -- and then there are much more subtle methods. Does their tool detect all of them? I honestly don't know, but I'm skeptical. The logs can tell you what IPs hit whatever WAN ports you want to look at.

    For example, I recently compiled this list of WAN ports that had been hit in the last month on my XGS:

    Protocol  Dest Port Service       Hits
    TCP       23        Telnet        7127
    TCP       65002     Game          3264
    TCP       8080      HTTP          3260
    ICMP      -         -             3235
    TCP       22        SSH           3231
    TCP       65004     Game          2843
    GRE (47))  -        -             2701
    UDP       5060      SIP           1769
    UDP       67        BOOTP         1727
    TCP       2375      Docker REST   1683
    TCP       2376      Docker REST   1561
    TCP       3389      RDP           1267
    TCP       81        Tor           1239
    TCP       5555      ?             1186
    UDP       123       NTP           1076
    TCP       445       SMB and AD    1042
    UDP       53        DNS            844
    TCP       10443     ?              770
    UDP       389       LDAP           724
    UDP       16393     RTP            700
    TCP       4200      ?              628
    TCP       3128      Squid          620
    TCP       8545      ?              577
    TCP       8081      ?              497
    TCP       1433      MSSQL          489
    TCP       6379      Redis          469
    UDP       137       NetBIOS        451
    UDP       1900      uPnP           450
    TCP       5038      ?              438
    TCP       9000      Lots-o-stuff   416
    TCP       5900      VNC            415
    TCP       9200      ElasticSearch  401
    TCP       8888      Jupyter etc    395
    UDP       161       SNMP           387
    TCP       60001     Mosh (SSH)     371
    TCP       11211     memcached      358
    TCP       2323      ?              350
    TCP       4243      Docker         329
    TCP       4244      Viber          323
    TCP       2377      Docker Swarm   322
    TCP       21        FTP            311

  • Note their rule, which would detect a naive user using a port scan tool with default settings, but not more sophisticated scans. I'd guess they didn't include it because it's simplistic and could give a false sense of security.

    A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The calculation of the detection score is as follows:
     

    • Scan of a TCP destination port less than 1024: 3 points
    • Scan of a TCP destination port greater or equal 1024: 1 point
    • Scan of ports 11, 12, 13, 2000: 10 points
  • Yeah 21 points in a time range of 300 ms is a rapid scan that pro wouldn't do lol

  • Per the instructions in the other thread. I went into the Firewall logs (on Sophos Central, because the XGS87 has no on-appliance reporting) and made a report that notes Appliance Access denials. By changing the default report to not show IP addresses, I got aggregates, above. (I looked up the port numbers in Wikipedia to come up with the Service; the report doesn't include that.)

  • If you are a Sophos Endpoint XDR Customer, you can do this with Live Discovery as well: https://community.sophos.com/intercept-x-endpoint/i/network/port-scan-detection-using-sophos-firewall-data-in-the-data-lake

    This will give you a good overview of all "scans" in your network or from WAN.

    You can configure your own threshold (when should it be considered to be a scan?"). 

    BTW: Looking at such Port Scan features, there are actually useless from my point of view. Look how shodan does it. They actually have a entire network of clients, scanning all the time. They will not be visible on any port scan tool, if not configured "highly aggressive", which leads to False positives.

    And in the end, what are you gonna do about it? Its like looking at the street: If some car drives all the time around your house, looking at your house. What are you gonna do? Attacker do not scan from there devices, they use jump hosts, bot nets etc. 

    __________________________________________________________________________________________________________________

  • Agreed. WAN port scanning will come from many IP addresses from a distributed attack so it won't appear to be port scanning, and any attack will come from yet another IP address. Internal port scans might be a different matter, since they wouldn't have as many hosts to work with. (And might just be one of your users who has admin access trying out netcat.)

    I'm actually fairly proud of my list, above. I think it shows the priorities of the "scan everyone" crowd fairly clearly. Obviously, a particular group of hackers or someone targeting you as an individual may have very different priorities and would try to exploit things that these "script kiddies" don't know about. But it's still interesting to look from an innocuous host tied to a residential-oriented ISP and see what's out there.

    Telnet being the favored target, then Steam games, then the main alternative HTTP port. (The latter could be someone setting up their own service or could be what various tools with web-based GUIs default to.) I was surprised to see such a focus on Docker, but that could be because it's very popular and new adopters may not secure it network-wise. Of course, Sophos has a much better list somewhere, but it's fun to make my own.

  • I also found a port scanning machine while I was looking: 92.63.196.228 (ripe.net?):

    ; <<>> DiG 9.10.6 <<>> @8.8.8.8 -x 92.63.196.228
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52746
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;228.196.63.92.in-addr.arpa.	IN	PTR
    
    ;; AUTHORITY SECTION:
    92.in-addr.arpa.	1776	IN	SOA	pri.authdns.ripe.net. dns.ripe.net. 1634303933 3600 600 864000 3600
    
    ;; Query time: 41 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Fri Oct 15 10:48:37 EDT 2021
    ;; MSG SIZE  rcvd: 115
    

    Has had 20K hits on my XGS in the last week, only one port was hit twice, all the rest were hit just once.

Reply
  • I also found a port scanning machine while I was looking: 92.63.196.228 (ripe.net?):

    ; <<>> DiG 9.10.6 <<>> @8.8.8.8 -x 92.63.196.228
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52746
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;228.196.63.92.in-addr.arpa.	IN	PTR
    
    ;; AUTHORITY SECTION:
    92.in-addr.arpa.	1776	IN	SOA	pri.authdns.ripe.net. dns.ripe.net. 1634303933 3600 600 864000 3600
    
    ;; Query time: 41 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Fri Oct 15 10:48:37 EDT 2021
    ;; MSG SIZE  rcvd: 115
    

    Has had 20K hits on my XGS in the last week, only one port was hit twice, all the rest were hit just once.

Children
No Data