I seem to get an awful lot of port scans to port 500, many/most on the same IP block.
I'm certain they're doing an overall scan of the network, but I've just implemented a notification alert on the following:
[ul]via Log & Report > Email Alert Settings (300E model) so I can keep tabs if any of my users are having problems (or are the target of a brute force attack).
..so I'm most aware of the port 500 hits. However, because these garbage notifications are bloating my inbox, I've overlooked legitimate login failures for my users, unintentionally.
What's the best approach to either stopping these scans from triggering an alert, or blocking the probes?
I'm fairly new to Fortinet products, so I'm not completely well-versed in the full capabilities of the firewall.
Possible approaches:
[ul]*I do have Intrusion Detection running, but I haven't yet setup a rule to target this behavior as I'm not entirely sure how the signatures and filters work.
Can anyone offer any suggestions?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Zeronet,
A DDoS policy on the WAN interface allows you to limit port scans. I've found that to be useful.
If I recall correctly the DDoS policy is applied early in the packet flow- essentially making it one of the more efficient approaches to limiting this type of undesirable scanning.
The other advantage of the DDoS policy is that you can "quarantine" the attacker for any period of time. I use a relatively small quarantine time of 15 minutes- but that slows the attackers down enough to reduce the problem. That would also help with your management issue- essentially the quarantine just happens in the background. Once the quarantine time expires it is cleared automatically too (which may be useful for preventing your remote users being blocked).
The downside is that a DDoS policy will take some tuning- the settings you use will depend on your environment, WAN speeds etc. But there are some good guides in the Fortinet documentation on how to do it.
Hope that is useful.
Kind Regards,
Andy.
Depending on the circumstances, a local-in policy for udp/500 and udp(tcp?)/4500 with either whitelisting safe origin countries, or blacklisting rogue origin countries might mitigate the situation.
I've compiled all countries into an address group for convenience, found here https://www.beneicke-edv.de/support/tools/#all_countries_addressgroup
Zeronet,
A DDoS policy on the WAN interface allows you to limit port scans. I've found that to be useful.
If I recall correctly the DDoS policy is applied early in the packet flow- essentially making it one of the more efficient approaches to limiting this type of undesirable scanning.
The other advantage of the DDoS policy is that you can "quarantine" the attacker for any period of time. I use a relatively small quarantine time of 15 minutes- but that slows the attackers down enough to reduce the problem. That would also help with your management issue- essentially the quarantine just happens in the background. Once the quarantine time expires it is cleared automatically too (which may be useful for preventing your remote users being blocked).
The downside is that a DDoS policy will take some tuning- the settings you use will depend on your environment, WAN speeds etc. But there are some good guides in the Fortinet documentation on how to do it.
Hope that is useful.
Kind Regards,
Andy.
Thank you both for the suggestions, extremely helpful!
I ended up creating an address group with the ranges that were seen most often and adding a deny policy. Right away, I seen activity on the policy.
Additionally, I also setup a DDoS policy and used the documentation as a starting point: https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Policy%20Configuration/IPv4...
@ede_pfau - Do you see any performance hit when using the geo filtering? To-date, about 50% of the malicious hits are from inside my country, so geo blocking would only cut down on some of the abuse.
No, I don't see and don't expect any noticeable performance hit on firewalling. The 'work load' is done by FortiGuard, that is, determining the IP ranges for each country. These lists are continually updated and sent to the FGT. FortiOS only has to compile the blocked address ranges and offload it to the NPU.
The FGTs I manage (in Europe) get molested mainly by hosts in Brazil, China, Viet Nam, Ukraine. I can rule out any legitimate access from these countries. So, incoming traffic is reduced by, say, 80%.
Any ideas on how to block port scans that use bypassing methods such as this page demonstrates?
https://www.northit.co.uk/posts/bypassing-port-scan-blocking-firewalls/
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1714 | |
1093 | |
752 | |
447 | |
232 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.