Port Scan Drop ?

cubber · October 24, 2018, 10:08am

Hello,

I made transactions through wiki: https://wiki.mikrotik.com/wiki/Drop_port_scanners

I did everything but the rules didn’t work

http://prntscr.com/l9tn0j

I wonder where I’m making a mistake. ?

R1CH · October 24, 2018, 10:43am

Best practice says you should drop all unknown input, there’s no need to make rules specifically for port scanners.

ivicask · October 24, 2018, 12:01pm

Yea, but than attacker can scan for ports and for example find my none standard RDP port and than do further attacks on it, this way he get IP block for port scan attempts and he doesnt find my open ports at all.

So" best practice" isnt actually best or most safe practice in case u cant add like whitelist ip addresses to only access for example your RDP port..

R1CH · October 24, 2018, 12:42pm

Port scan does not use established connections. If you’re using a detect-and-block script, then the attacker can then just scan you with fake IP of Google, Facebook, DNS server, etc and suddenly you’ve blocked important services. Relying on a hidden port for security is not good, best to use a VPN or similar for strong authentication.

vecernik87 · October 24, 2018, 7:03pm

Attacker can’t use spoofed IP for scanning because such results wouldn’t make it back to him (unless he is your ISP and all your traffic pass through him)
Spoofed IP is used mostly for (D)DoS attacks where you don’t care about response or where you want the response to be sent to someone else on purpose.
In addition, the drop rule for blacklisted IP is AFTER “accept established/related” so even if someone use spoofed IP, it will not affect any connection which originates from your side.

However, I agree that relying on “hidden” port is not good. Especially protocols like RDP should never be accessible from outer world. VPN is the way.

ivicask · October 25, 2018, 7:06am

Explain me how can i use VPN when “stupid” Apple decided to block VPN over its hotspot on iPhones which alot of my customers use, not to mention alot of hotels and publics spots sometimes my users use also block VPN..

vecernik87 · October 25, 2018, 8:14am

That is quite unfortunate, but I merely stated the fact. Being limited by “stupid” devices does not change the reality of increased risk due to exposed (and possibly insecure) services.

btw: Personally, on several connections I use tarpit for TCP and then drop for everything else. With tarpit, it is much harder for port-scanners to detect, if port is open or closed because all ports looks open to everyone. Disadvantage is that evil bots are now trying to hack me with brute force on ports which are tarpitted and it actually consume significant amount of data.