Port scanning is a widely used technique in cybersecurity, often employed by attackers to identify open ports and vulnerabilities on a server. While system administrators may use port scanning for legitimate security assessments, it is crucial to configure firewalls to detect and block unauthorized scans without actively performing scans themselves.
One of the most effective tools for this purpose is ConfigServer Security & Firewall (CSF), a powerful firewall solution that integrates with Linux servers to provide robust security. By configuring CSF properly, administrators can prevent malicious port scans while ensuring legitimate traffic is not disrupted.
Understanding CSF’s Port Scan Protection
CSF includes a Port Scan Tracking (PS) feature that monitors incoming connections and detects repeated attempts to access closed ports. If an IP address exceeds a predefined threshold of blocked connection attempts, CSF can automatically block the offending IP for a specified duration.
The key parameters for configuring Port Scan Tracking in CSF are:
- PS_INTERVAL: Defines the time window (in seconds) during which repeated port access attempts are counted.
- PS_LIMIT: Specifies the number of blocked attempts allowed within the interval before an IP is banned.
For example, setting PS_INTERVAL to 3600 seconds (1 hour) and PS_LIMIT to 2 means that if an IP attempts to access blocked ports twice within an hour, it will be flagged and blocked.
Configuring CSF for Port Scan Protection
To optimize CSF for passive port scan protection, follow these steps:
1. Enable Port Scan Tracking
First, open the CSF configuration file:
bash
nano /etc/csf/csf.conf
Locate the Port Scan Tracking section and modify the following settings:
bash
PS_INTERVAL = 3600
PS_LIMIT = 10
This ensures that any IP attempting to access ten blocked ports within an hour will be flagged.
2. Define Ports to Monitor
CSF allows administrators to specify which ports should be tracked for unauthorized access. Modify the PS_PORTS setting:
bash
PS_PORTS = "0:65535,ICMP,INVALID,OPEN,BRD"
This configuration ensures that all ports are monitored, including ICMP requests and invalid packets.
3. Set Blocking Behavior
Decide whether blocked IPs should be temporarily or permanently banned:
bash
PS_PERMANENT = "0"
PS_BLOCK_TIME = 86400
- Setting
PS_PERMANENT = 0ensures that bans are temporary. PS_BLOCK_TIME =86400 means the offending IP will be blocked for one day before being allowed back.
4. Enable Logging and Alerts
To monitor port scan attempts, enable logging:
bash
DROP_LOGGING = "1"
IPTABLES_LOG = "/var/log/csf.log"
Additionally, enable email alerts for detected scans:
bash
PS_EMAIL_ALERT = "1"
This ensures that administrators receive notifications whenever a port scan is detected.
Why This Configuration Works Without Actively Scanning
Unlike traditional port scanning tools that probe external networks, this CSF setup does not initiate scans. Instead, it passively monitors incoming traffic and detects suspicious behavior. This approach has several advantages:
- Prevents Unauthorized Access
- Attackers attempting to scan your server will be quickly detected and blocked, reducing the risk of exploitation.
- Minimizes False Positives
- Since the threshold is set to two attempts per hour, legitimate users are unlikely to be affected.
- Reduces Server Load
- Passive monitoring consumes fewer resources compared to active scanning, ensuring optimal performance.