Port Scans

Discussion in 'Network Security' started by kammodo, Jun 28, 2009.

  1. kammodo

    kammodo Nibble Poster

    56
    0
    33
    Helllo!
    I have implemented a cisco 1700 series router as a part of my home network. I have had continous port scans on my PC and I have implemented a strict ACL in the inbound WAN interface. ie
    10 permit tcp any any established
    20 permit udp any any
    30 deny ip any any log
    int fa0
    ip access-group Filter in
    However this seems to have no affect on the port scans. I was sure that no TCP traffic would get through unless permitted by the allowed inside hosts. Ive run virus checks and just about everything I can think of but with no luck. Im not sure of the exact workings of port scans, so was wondering if anyone knew how they could bypass the inbound ACL's for all internet traffic. Having put logging on the last statement I can see that it does block alot of addresses but not scans. Thanks in advance for any insight.
    ps. The scans are always TCP not UDP
     
    Certifications: CCNA R+S, CCDA , CCNP r+s , CCDP
    WIP: CCIE
  2. Tieken

    Tieken Bit Poster

    41
    2
    12
    Did you implenent the NAT on your 1700?
     
  3. kammodo

    kammodo Nibble Poster

    56
    0
    33
    Yes, full connectivity from inside local to public inside global is implemented, static NAT
    ip nat inside source static 192.168.0.2 interface e0
     
    Certifications: CCNA R+S, CCDA , CCNP r+s , CCDP
    WIP: CCIE
  4. Tieken

    Tieken Bit Poster

    41
    2
    12
    Could you plz show all the config?
     
  5. kammodo

    kammodo Nibble Poster

    56
    0
    33
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname C_1700
    !
    boot-start-marker
    boot-end-marker
    !
    !
    no aaa new-model
    !
    resource policy
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.0.1
    !
    ip dhcp pool Internal_DHCP_Pool
    network 192.168.0.0 255.255.255.0
    dns-server xx.xx.xx.xx xx.xx.xx.xx
    default-router 192.168.0.1
    lease infinite
    !
    !
    no ip ips deny-action ips-interface
    !
    !
    !
    !
    !
    !
    !
    interface BRI0
    no ip address
    shutdown
    !
    interface Ethernet0
    ip address dhcp
    ip access-group Web_Filter in
    ip nat outside
    ip virtual-reassembly
    half-duplex
    !
    interface FastEthernet0
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    speed auto
    full-duplex
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Ethernet0
    !

    ip nat inside source static 192.168.0.2 interface Ethernet0
    !
    ip access-list extended Web_Filter
    permit udp any any
    permit tcp any any established
    deny ip any any log
    !
    !
    !
    control-plane
    !

    alias exec t telnet
    !
    line con 0
    line aux 0
    line vty 0 4
    !
    end

    C_1700#
     
    Certifications: CCNA R+S, CCDA , CCNP r+s , CCDP
    WIP: CCIE
  6. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,718
    543
    364
    Just to confirm you are getting port scans on the PC and not the WAN interface of the router?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  7. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    ^^^This

    If you've set NAT up correctly then your PC won't be contactable from the outside world without being specifically provided a publicly-routable IP address (either through NAT or statically assigned). Try running Wireshark and see if you're 'truly' receiving inbound port scans on your PC. If you are, then something is seriously wrong. In any case, you shouldn't be running with 'just' a router connecting you to the outside world - you'll be rinsed dry. You need a firewall in there doing Stateful filtering.

    If you're looking at port scans on the outside interface then there isn't a damn thing you can do about them
     
    Certifications: A few
    WIP: None - f*** 'em
  8. Tieken

    Tieken Bit Poster

    41
    2
    12
    The config seems to be ok, so it'd be a good idea to have logs to find out exactly where the scan comes from. Also a good idea would be to amend "log" option to the access list for tcp/udp packests.
     
  9. kammodo

    kammodo Nibble Poster

    56
    0
    33
    The port scan warning messages are picked up by my PCs personal firewall. I have done a whois on all the addresses and they seem to originate from china...all of them.Anyhow i have blocked them on my personal firewall, one by one, hopefull this will reduce the hits on the pc.
     
    Certifications: CCNA R+S, CCDA , CCNP r+s , CCDP
    WIP: CCIE
  10. Dexter

    Dexter Nibble Poster

    53
    0
    21
    Sorry for hijacking the thread but I just wondered if anybody actually bothered reporting port scan's etc to the ISP? Don't get me wrong, I know its a drop in the ocean but its been a lingering question for a while.
     
    Certifications: A+ N+ MCDST
    WIP: LPIC-1 - HTML - MYSQL
  11. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    kammodo, the problem is with how you configured nat. You have configured a static nat translation:

    ip nat inside source static 192.168.0.2 interface Ethernet0

    - Essentially this will take virtually all traffic arriving on e0 and nat it the internal host. The internal host is very exposed, no wonder you are seeing port scans.

    You could change how nat is done, try something like this:

    access-list 175 permit ip 192.168.0.0 0.0.0.255 any
    ip nat inside source list 175 int Ethernet0 overload

    Change access-list 175 to select which internal hosts will be nat'ed - I just picked the /24 you have used internally.

    I would strongly recommend configuring the ios firewall, if available, it is simple to configure. If not, proper nat combined with suitable access-lists will do. Also, lock down access to the router - vty, http, etc. If you need further help/examples just post.

    Spice Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  12. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Nope - pointless waste of time. Most of the boxes that portscan you are either compromised hosts from China/Taiwan/Singapore (*insert third world country running unlicensed unfirewalled copies of Windows here*) or part of botnets anyway - it wouldn't do any good.
     
    Certifications: A few
    WIP: None - f*** 'em
  13. kammodo

    kammodo Nibble Poster

    56
    0
    33
    - Essentially this will take virtually all traffic arriving on e0 and nat it the internal host. The internal host is very exposed, no wonder you are seeing port scans.


    Makes sense spice weasle. Basically I opened up a direct route to the inside host with static nat. But with PAT Im isolating the inside hosts with port translations. Ive applied the config and all looks good. Ill configure the CBAC through SDM later along with the IPS, though my signature list is only sourced from the default list on the flash. But, checking my firewall logs...no more scans. Thx for the help
     
    Certifications: CCNA R+S, CCDA , CCNP r+s , CCDP
    WIP: CCIE

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.