Port Scan Drop ?

cubber · Wed Oct 24, 2018 1:08 pm

Hello,

I made transactions through wiki: https://wiki.mikrotik.com/wiki/Drop_port_scanners

I did everything but the rules didn't work

http://prntscr.com/l9tn0j

I wonder where I'm making a mistake. ?

R1CH · Wed Oct 24, 2018 1:43 pm

Best practice says you should drop all unknown input, there's no need to make rules specifically for port scanners.

ivicask · Wed Oct 24, 2018 3:01 pm

Best practice says you should drop all unknown input, there's no need to make rules specifically for port scanners.

Yea, but than attacker can scan for ports and for example find my none standard RDP port and than do further attacks on it, this way he get IP block for port scan attempts and he doesnt find my open ports at all.

So" best practice" isnt actually best or most safe practice in case u cant add like whitelist ip addresses to only access for example your RDP port..

R1CH · Wed Oct 24, 2018 3:42 pm

Port scan does not use established connections. If you're using a detect-and-block script, then the attacker can then just scan you with fake IP of Google, Facebook, DNS server, etc and suddenly you've blocked important services. Relying on a hidden port for security is not good, best to use a VPN or similar for strong authentication.

vecernik87 · Wed Oct 24, 2018 10:03 pm

Attacker can't use spoofed IP for scanning because such results wouldn't make it back to him (unless he is your ISP and all your traffic pass through him)
Spoofed IP is used mostly for (D)DoS attacks where you don't care about response or where you want the response to be sent to someone else on purpose.
In addition, the drop rule for blacklisted IP is AFTER "accept established/related" so even if someone use spoofed IP, it will not affect any connection which originates from your side.

However, I agree that relying on "hidden" port is not good. Especially protocols like RDP should never be accessible from outer world. VPN is the way.

ivicask · Thu Oct 25, 2018 10:06 am

Attacker can't use spoofed IP for scanning because such results wouldn't make it back to him (unless he is your ISP and all your traffic pass through him)
Spoofed IP is used mostly for (D)DoS attacks where you don't care about response or where you want the response to be sent to someone else on purpose.
In addition, the drop rule for blacklisted IP is AFTER "accept established/related" so even if someone use spoofed IP, it will not affect any connection which originates from your side.

However, I agree that relying on "hidden" port is not good. Especially protocols like RDP should never be accessible from outer world. VPN is the way.

Explain me how can i use VPN when "stupid" Apple decided to block VPN over its hotspot on iPhones which alot of my customers use, not to mention alot of hotels and publics spots sometimes my users use also block VPN..

vecernik87 · Thu Oct 25, 2018 11:14 am

That is quite unfortunate, but I merely stated the fact. Being limited by "stupid" devices does not change the reality of increased risk due to exposed (and possibly insecure) services.

btw: Personally, on several connections I use tarpit for TCP and then drop for everything else. With tarpit, it is much harder for port-scanners to detect, if port is open or closed because all ports looks open to everyone. Disadvantage is that evil bots are now trying to hack me with brute force on ports which are tarpitted and it actually consume significant amount of data.

Port Scan Drop ?

Port Scan Drop ?

Re: Port Scan Drop ?

Re: Port Scan Drop ?

Re: Port Scan Drop ?

Re: Port Scan Drop ?

Re: Port Scan Drop ?

Re: Port Scan Drop ?

Who is online