Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port scan Detection XG18

Hello, 

While looking for a way to enable port scan detection on my XG18, all I can find is articles from years ago on how to configure it on the UTM. Are their any recent articles detailing how to be notified of this sort of scanning? You would think it wouldn't be this difficult to set up alerts for this sort of red flag! 



This thread was automatically locked due to age.
  • As i know, there is no PortScanDetection at Sophos (XG) Firewall until now.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi,

     think that might be achieved with the DDOS settings (IPS). There are other issues if you enable DDOS settings though.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Are you talking about the WAN port of the appliance? There is no direct port scan detection, but this recent posting might be helpful. Basically you can look at the Firewall log (on-device, in Sophos Central, or output to your own log server) for Appliance Access refusals.

    It might also be possible to request these log entries via the API, but I've not used the API before.

    If you're talking about port scanning on your internal network, I don't have a solution. I do have a guest network and a work-from-home network and I've set both to isolate each device from the other, and I know that broadcasts on those networks show up as Appliance Access rejection messages in the Firewall log, similar to WAN accesses.

  • I took a look and although a good tool, it's not what I'm looking for. Thank you very much for spending your time to look for a solution though.

  • You're welcome. I don't think you'll find such a tool that actually works because "port scanning" is ill-defined. That is, a port scanning tool need not hit lots of ports, nor hit them rapidly -- the typical "port scan". In fact, you could do a distributed port scan, testing one port a day from each machine and only testing a limited subset of ports with known vulnerabilities. Not sure that an automated tool would detect that.

  • According to this article, they have it on the UTM. Sophos UTM: What is portscan detection?

    Why would they discontinue it or not integrate into the XG18??

  • Right, but would it actually do what you want it to do? Like I said, there's brute force port scanning -- hit all the ports in rapid succession from a single machine -- and then there are much more subtle methods. Does their tool detect all of them? I honestly don't know, but I'm skeptical. The logs can tell you what IPs hit whatever WAN ports you want to look at.

    For example, I recently compiled this list of WAN ports that had been hit in the last month on my XGS:

    Protocol  Dest Port Service       Hits
    TCP       23        Telnet        7127
    TCP       65002     Game          3264
    TCP       8080      HTTP          3260
    ICMP      -         -             3235
    TCP       22        SSH           3231
    TCP       65004     Game          2843
    GRE (47))  -        -             2701
    UDP       5060      SIP           1769
    UDP       67        BOOTP         1727
    TCP       2375      Docker REST   1683
    TCP       2376      Docker REST   1561
    TCP       3389      RDP           1267
    TCP       81        Tor           1239
    TCP       5555      ?             1186
    UDP       123       NTP           1076
    TCP       445       SMB and AD    1042
    UDP       53        DNS            844
    TCP       10443     ?              770
    UDP       389       LDAP           724
    UDP       16393     RTP            700
    TCP       4200      ?              628
    TCP       3128      Squid          620
    TCP       8545      ?              577
    TCP       8081      ?              497
    TCP       1433      MSSQL          489
    TCP       6379      Redis          469
    UDP       137       NetBIOS        451
    UDP       1900      uPnP           450
    TCP       5038      ?              438
    TCP       9000      Lots-o-stuff   416
    TCP       5900      VNC            415
    TCP       9200      ElasticSearch  401
    TCP       8888      Jupyter etc    395
    UDP       161       SNMP           387
    TCP       60001     Mosh (SSH)     371
    TCP       11211     memcached      358
    TCP       2323      ?              350
    TCP       4243      Docker         329
    TCP       4244      Viber          323
    TCP       2377      Docker Swarm   322
    TCP       21        FTP            311

  • Note their rule, which would detect a naive user using a port scan tool with default settings, but not more sophisticated scans. I'd guess they didn't include it because it's simplistic and could give a false sense of security.

    A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The calculation of the detection score is as follows:
     

    • Scan of a TCP destination port less than 1024: 3 points
    • Scan of a TCP destination port greater or equal 1024: 1 point
    • Scan of ports 11, 12, 13, 2000: 10 points
  • Yeah 21 points in a time range of 300 ms is a rapid scan that pro wouldn't do lol