This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Portscan problem

Hello everyone,

since I've had a big problem with attacs from different schools in China, I looked up all the address space that APNIC is handling and made a network group with all these networks in it. I have also made a packet filter rule on the second place of the list which drops all the traffic with logging from these addresses.

Now I still get portscan messages and the source is an address in one of those ip ranges. To be more specific. I get portscan messages from 61.139.105.163 and I double checked my entry which is 60.0.0.0/7 and that should include the ip address above.

Does anyone have ideas? Is the portscan check made before the packet filter??

This thread was automatically locked due to age.

0 pattont over 16 years ago

I keep getting dropped packets from these IPs:

61.160.216.187
88.251.81.160

Both in china...
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 16 years ago

IPS comes after PacketFilter (to reduce noise).
I'm not so sure about the PortScan checker... I think it's also after PF.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 16 years ago in reply to BarryG

I think the portscan detection must be happening before Packet filtering, etc... even with explicit block rules that block source IPs from attackers (mostly in china, a few in russia), the portscan detection is still triggered by the blocked source IPs. Mostly just annoying, I do see the block rule in iptables.
Cancel
Vote Up 0 Vote Down

Cancel