Thread Info
  • State Not Answered
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 35 replies
  • Subscribers 37 subscribers
  • Views 81736 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG SFOS 16.01 - Anti-Portscan?

Mike Jones

Greetings all,

I'm currently using the home version of Sophos XG and was wondering if there is a way to block port scans? I know that UTM has the ability for anti-portscans, but does XG have this capability as well?

 

Thanks.

 

Mike 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to lferrara

    Hi Luk,

    After a bit of research, I have discovered IP Flood option inside IPS > DoS Attack. I think it is related to the Anti Port Scan feature but, we don’t find any way to configure any value or even an option to simply enable or disable it. I have initiated a request to the developers to know about the use of this feature and how to enable and configure it? Also, is it associated to the Anti Port Scan feature as I  think!

    Why? because, according to the UTM 9 HELP doc; Port Scan is something that is detected and countered on the basis of the Source address. "portscans from the same source address can be blocked automatically. Please note that the portscan detection is limited to Internet interfaces, i.e. interfaces with a default gateway.


    Technically speaking, a portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded”

    Awaiting response from the developers.

  • 0 in reply to sachingurung

    Hi Sachin Gurung!

    Do you have any update?

    Thanks

    Alexander

  • 0 in reply to Alexander Bondar

     Hi Alexander,

    Thanks for bringing this up. I have reinitiated a conversation internally, will get back to you shortly.

    Thanks

  • 0 in reply to sachingurung

    do you have any update on this question?

    This is very important.

    Thanks

  • 0 in reply to lferrara

    Anti Port Scan is not available in the XG firewall. After a long discussion with the Dev. Team, SFOS supports packet based DoS protection. We are enhancing it further to do connection based DoS protection. Please raise it as a feature request on Sophos Ideas and cast your votes. I have personally initiated a request internally.

    Thank you

  • 0 in reply to sachingurung

    Unbelievable!

    XG does not have an anti-port scan feature. Guys is a NGFW.

    [:@]

    http://ideas.sophos.com/forums/330219-xg-firewall/suggestions/19243372-anti-portscan

    Vote please!

  • 0 in reply to lferrara

    This is what is so frustrating about XG. They work on items that look good on paper but basic items that you would expect from NGFW are missing.

    It's really irritating when astaro has been doing this stuff for years and yet Sophos completely ignores to even try to bring basic UTM9 functions to XG.

  • 0 in reply to Billybob

    Here is a KB about how portscan actually works in UTM 7 and 8[:O] https://community.sophos.com/kb/en-us/115153 Looks like the mechanism is a little smarter than I thought. It weighs different connection attempts and then blocks the connection after a certain threshold. 

    A portscan is detected when a detection score of 21 points in a time range of 300 ms for one individual source IP address is exceeded. The detection score is calculated as follows:
    Scan of a TCP destination port less than 1024: 3 points
    Scan of a TCP destination port greater or equal 1024: 1 point
    Scan of ports 11, 12, 13, 2000: 10 points

    Here are the portscan rules in UTM9 for example but multiple rules are combined to achieve what is mentioned in the KB article above.

    gatekeeper:/home/login # iptables -L PSD_ACTION -v
    Chain PSD_ACTION (1 references)
    pkts bytes target prot opt in out source destination
    0 0 NFLOG all -- any any anywhere anywhere limit: avg 5/sec burst 5 LOGMARK match 60017 nflog-prefix "PORTSCAN: "
    0 0 DROP all -- any any anywhere anywhere

    gatekeeper:/home/login # iptables -L PSD_MATCH -v
    Chain PSD_MATCH (2 references)
    pkts bytes target prot opt in out source destination
    0 0 PSD_ACTION all -- eth1 any anywhere anywhere -m psd --psd-weight-threshold 21 --psd-delay-threshold 300 --psd-lo-ports-weight 3 --psd-hi-ports-weight 1

  • FormerMember
    0 FormerMember in reply to Billybob

    Is portscan detection planned for v17?

  • 0 in reply to FormerMember

    I guess it is planned somewhere later v17.  V17 souls now be ready or almost. Feature request is not even considered or planned on the ideas website.

    :-(