Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 6 subscribers
  • Views 1227 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Scans

Sara Sam

Hello,

Since my IP is in Germany, in the firewall country-blocking I turn Germany "From", but immediately I get a lot of port scans from different German IPs.

How can I resolve this conflict so that my exchange speed doesn't slow down and I don't get any port scans?
please guide me.

Thank you in advance.



This thread was automatically locked due to age.
  • 0

    Why do you think a port scanner is slowing your connectivity?  That's not really how they work... Are you being DDoS'd or something else enough to notice?  

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Hi, of course, port scanning does not slow down my connection speed. The point is that I get a lot of portscans from German IPs. To stop them, I block Germany in country-blocking and that slows down the connection speed.

  • 0 in reply to Sara Sam

    Hallo and welcome to the UTM Community!

    You're in Germany and you're blocking traffic from Germany?  No wonder you get slow responses.  I bet a look at the packetfilter log will show that most blocks are responses from IPs in Germany that are a result of requests from your IP.

    How many portscans is "a lot"?  The only thing I've done is forward the alerts to the abuse@ address of the ISP of each port scanner.  You can get that information from https://centralops.net/co/DomainDossier.aspx.  I usually include the log line from the Intrusion Prevention log like one I reported today:

    *** Please instruct your customer to cease port scanning 68.X.Y.234. ***

    Time below is CDT (UTC-0500):

    2022:09:01-00:13:27 xxxxxx ulogd[4801]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="eth1" srcmac="00:27:90:0c:94:19" dstmac="00:08:X:Y:Z:5f" srcip="3.22.60.29" dstip="68.X.Y.234" proto="6" length="52" tos="0x02" prec="0x00" ttl="104" srcport="62083" dstport="4001" tcpflags="SYN

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you so much for the details. 

    I'll try the same method. 

Unfiltered HTML