[9.192][ANSWERED] Anti Portscan / Portscan Detection broken

Seems, that the portscan detection is - at least partly - broken. My usual "ShieldsUp" portscan after every firmware update from www.grc.com shows the open ports - in my case 25 and 465 (SMTP/S) in the scan. Interestingly the web application firewall listening on 443 and my DNAT'ed public DNS on port 53 on the same scanned public IP wasn't discovered by the scan.

That's, why I assume the anti-portscan feature at least in case for the smtp proxy ports broken.

There are also no portscan log entries in the ips.log...

0 Tinkerbell over 11 years ago

Hi Sascha,

Hmm i was trying to reproduce your issue but without success.
Used 2 ways of testing:

-> Shield Up from grc.com -> Outoput shows all ports are blocked. ips.log below with SMTP port 25 being blocked:

2014:01:29-16:54:28 bpo-asg-01 ulogd[30335]: id="2102" severity="info" sys="SecureNet" sub="ips" name="portscan detected" action="portscan" fwrule="60017" initf="ppp0" srcip="4.79.142.206" dstip="92.198.19.***" proto="6" length="44" tos="0x00" prec="0x00" ttl="226" srcport="46858" dstport="25" tcpflags="SYN"

->nmap -sS -P0 -F -T5 --top-ports 65535 92.198.19.***

Must add, that portscan detection for ipv6 is not working (#29800). Are you using IPv6? Can you also use nmap and check the output?
Weird thing is the ips.log, really shows nothing? If thats the case will need ure machine to check [:D]
Thanks. Best,
Bianca
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel