Every day we are at the mercy of individuals or machines that want to access our information, computers or simply want to know our steps on the Internet, that is why we must always take into account the technological risks to which we are exposed. One of the most popular vulnerabilities we face today is port scan attack, so it is convenient to learn to protect ourselves from it and this can be done easily thanks to a script called PortScanDetector.
What is the port scan attack?
The port scan attack (portscan) is the process in which the ports of a machine connected to the network are automatically analyzed in order to verify which ports are open, closed or have a security protocol, the result of this analysis will allow intruders to know information such as the composition of our architecture, the operating system of our computers and the possible security holes that will later be exploited by attackers.
It is important to note that network administrators also use port scanning in order to create maps of vulnerabilities that must then be corrected, among the many tools for port scanning, the highlights are arp scan, Nmap y Angry IP Scanner.
In the past, a couple of very interesting articles were written that allow us to protect ourselves from the port scan attack, these articles are Steps to secure our VPS y Security tips for your Linux (Server) in which practical advice is given to secure our servers. This time we want to teach how to carry out these processes in a more automatic way.
What is PortScanDetector?
It is an open source script, developed in python by Jacob Rickerd that allows detecting port scanning in Linux, this is possible thanks to the script adding rules to our iptables or firewalld that record the TCP packets that are transmitted and automatically block them in those cases where more than 10 have been consulted ports, in this simple way we ensure that no one tries to scan all our ports.
How to use PortScanDetector?
PortScanDetector needs python 2.7 to work, then we simply have to clone the official repository of the tool and run the python script, it will automatically be constantly analyzing the network and blocking all possible attacks. The commands to perform the steps mentioned above are as follows:
git clone https://github.com/Rickerd0613/PortScanDetector.git cd PortScanDetector / sudo python scanDetector.py
PortScanDetector master sudo python scanDetector.py
Traceback (most recent call last):
File "scanDetector.py", line 48, in
firewalld ()
File "scanDetector.py", line 20, in firewalld
["Firewall-cmd", "–list-all-zones"]):
File "/usr/lib/python2.7/subprocess.py", line 566, in check_output
process = Popen (stdout = PIPE, * popenargs, ** kwargs)
File "/usr/lib/python2.7/subprocess.py", line 710, in __init__
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1335, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
Any ideas?
https://github.com/Rickerd0613/PortScanDetector/issues/2
Good afternoon, when cloning and executing it gave me these errors:
python scanDetector.py
Traceback (most recent call last):
File "scanDetector.py", line 48, in
firewalld ()
File "scanDetector.py", line 20, in firewalld
["Firewall-cmd", "–list-all-zones"]):
File "/usr/lib/python2.7/subprocess.py", line 566, in check_output
process = Popen (stdout = PIPE, * popenargs, ** kwargs)
File "/usr/lib/python2.7/subprocess.py", line 710, in __init__
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1335, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory
You must install firewalld
hi, my error in this case is:
File "scanDetector.py", line 12
print "Rule not there"
^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print (int "Rule not there")?
Jumi I think the error gives you is related to the version of python you are using, the script is based on python 2.7 and from what you report it seems that you have installed the version python 3.0 (+).
First of all you have to create the rules in Firewalld - http://www.firewalld.org/documentation/ , this script only works when Firewalld is configured and running on your computer or server.
A question Lizard, once you have run the script, the changes to the firewall (in my case firewalld) kedan permanently configured? Do you know somehow some way to reverse it in case it is so?
I mean, isn't it better to use iptables, read a bit, create the rules and voila?
Hi, I'm half nob but this script only takes actions in the case that the port scan is tcp, or did I miss some important part of the script code where it takes actions for a udp scan?
Can it also be used for routers? For example, a mikrotik router? (I mean, that would be great; D), if you know how you can send me a message to jazz21103@gmail.com if they can pass me any resource or something.