Firewall, blocking host testing the same port many times?

homerouter · August 13, 2022, 6:02am

I use the “psd” it work nice, but i miss a option:
The param “WeightThreshold”: ->total weight of the latest TCP/UDP packets with coming from the same host to be treated as port scan sequence

In my case many host polling the same port so many times some +10000 over 24h.

For not i just add host to a list(with a timeout of 48h) when trying port 22,23,443,445

-How to find host polling for port some port ex. 22,23 tree times over 60 second, it can be the same port all tree times.
So count every host making SYN at a port_list will be the case.

Jotne · August 13, 2022, 7:23am

I have a two way of doing this.

Block any user who tries a port that is not open and block all port for 24 hour.
http://forum.mikrotik.com/t/configuration-to-block-users-that-tries-to-access-router-on-non-open-port-s/151840/1
Some service port as a limit number of reconnecting before blocked.
http://forum.mikrotik.com/t/ftp-bruteforce-protection/121925/2

anav · August 13, 2022, 1:18pm

Who cares, there are tons of bots knocking on doors all day long, why get concerned.
ANother story if you are running a server with no encyrption and are out of your league doing so behind a home router.