This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Portscans - How serious?

I have had an ASL box up and running for the last 2 weeks and for the first time today I got a notification message from ASL that I had been portscanned.

How serious is this? What is the best way to monitor/action this type of event...

The portscan some how managed to get the IP address of a machine on the "Private Network" behind the firewall - In my rules, all incomming traffic is denied access except for HTTP and FTP to a DMZ network of which is a different Private Network Address (192). How can I stop this happening?

This thread was automatically locked due to age.

0 tom_01 over 23 years ago

if the portscan CAME from an internal IP, someone there was misbehaving.

If an internal IP was scanned, it may be a false positive related to a special "kind" of traffic the machine was generating (Active FTP etc... )

/tom
Cancel
Vote Up 0 Vote Down

Cancel
0 Nathan_01 over 23 years ago in reply to tom_01

The sacn came from a 203.63.x.x address which belongs to a iPrimus which is an Australian ISP.... What settings should I be using to completley mask my IP structure behind the firewall? My current settings are as follows:

DMZ=192.168.10.x
PRI=172.16.0.x
EXT1=203.x.x.170
EXT2=203.x.x.171

The two EXT addresses are for two different webs that are hosted on the same Win2k server (IP Alias)

Rules:
From       Service      To       Action

Any        Any          EXT1     Deny
Any        Any          EXT2     Deny
PRI      Service Group  Any      Allow
DMZ        Any          Any      Allow
DMZ        Any          PRI      Deny
Any        HTTP&FTP     WEB1     Allow
Any        HTTP&FTP     WEB2     Allow
PRI        Any          DMZ      Allow

Both the DMZ and the PRIvate network are Masqueraded to the External NIC - I am using ASL 2.012

Thanks
Cancel
Vote Up 0 Vote Down

Cancel