Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zeronet
New Contributor

Best practice for thwarting port scanning?

I seem to get an awful lot of port scans to port 500, many/most on the same IP block.

I'm certain they're doing an overall scan of the network, but I've just implemented a notification alert on the following:

[ul]
  • SSL VPN login failure
  • IPsec tunnel errors[/ul]

    via Log & Report > Email Alert Settings (300E model) so I can keep tabs if any of my users are having problems (or are the target of a brute force attack).

     

    ..so I'm most aware of the port 500 hits.  However, because these garbage notifications are bloating my inbox, I've overlooked legitimate login failures for my users, unintentionally.

     

    What's the best approach to either stopping these scans from triggering an alert, or blocking the probes?

    I'm fairly new to Fortinet products, so I'm not completely well-versed in the full capabilities of the firewall.

     

    Possible approaches:

    [ul]
  • Block the CIDR of the most frequent offenders for UDP 500 (may/may not be problematic, as it's on the Hurricane Electric network.. most of my users use a local ISP that is not HE - but issues may surface with travel)
  • Whitelist the CIDR's of my users for UDP 500 (which would make their foreign travel a headache for me)
  • Add an Intrusion Detection rule?*
  • Let them scan to their heart's content and filter the email after it hits my inbox (my least desirable solution as its kind of a band-aid)[/ul]

    *I do have Intrusion Detection running, but I haven't yet setup a rule to target this behavior as I'm not entirely sure how the signatures and filters work.

     

    Can anyone offer any suggestions?

  • 1 Solution
    andrewbailey

    Zeronet,

     

    A DDoS policy on the WAN interface allows you to limit port scans. I've found that to be useful.

     

    If I recall correctly the DDoS policy is applied early in the packet flow- essentially making it one of the more efficient approaches to limiting this type of undesirable scanning.

     

    The other advantage of the DDoS policy is that you can "quarantine" the attacker for any period of time. I use a relatively small quarantine time of 15 minutes- but that slows the attackers down enough to reduce the problem. That would also help with your management issue- essentially the quarantine just happens in the background. Once the quarantine time expires it is cleared automatically too (which may be useful for preventing your remote users being blocked).

     

    The downside is that a DDoS policy will take some tuning- the settings you use will depend on your environment, WAN speeds etc. But there are some good guides in the Fortinet documentation on how to do it.

     

    Hope that is useful.

     

    Kind Regards,

     

     

    Andy.

     

     

     

     

    View solution in original post

    4 REPLIES 4
    ede_pfau
    Esteemed Contributor III

    Depending on the circumstances, a local-in policy for udp/500 and udp(tcp?)/4500 with either whitelisting safe origin countries, or blacklisting rogue origin countries might mitigate the situation.

    I've compiled all countries into an address group for convenience, found here https://www.beneicke-edv.de/support/tools/#all_countries_addressgroup

     


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    andrewbailey

    Zeronet,

     

    A DDoS policy on the WAN interface allows you to limit port scans. I've found that to be useful.

     

    If I recall correctly the DDoS policy is applied early in the packet flow- essentially making it one of the more efficient approaches to limiting this type of undesirable scanning.

     

    The other advantage of the DDoS policy is that you can "quarantine" the attacker for any period of time. I use a relatively small quarantine time of 15 minutes- but that slows the attackers down enough to reduce the problem. That would also help with your management issue- essentially the quarantine just happens in the background. Once the quarantine time expires it is cleared automatically too (which may be useful for preventing your remote users being blocked).

     

    The downside is that a DDoS policy will take some tuning- the settings you use will depend on your environment, WAN speeds etc. But there are some good guides in the Fortinet documentation on how to do it.

     

    Hope that is useful.

     

    Kind Regards,

     

     

    Andy.

     

     

     

     

    zeronet

    Thank you both for the suggestions, extremely helpful!

     

    I ended up creating an address group with the ranges that were seen most often and adding a deny policy.  Right away, I seen activity on the policy.

     

    Additionally, I also setup a DDoS policy and used the documentation as a starting point: https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-firewall/Policy%20Configuration/IPv4...

     

    @ede_pfau - Do you see any performance hit when using the geo filtering?  To-date, about 50% of the malicious hits are from inside my country, so geo blocking would only cut down on some of the abuse.

    ede_pfau
    Esteemed Contributor III

    No, I don't see and don't expect any noticeable performance hit on firewalling. The 'work load' is done by FortiGuard, that is, determining the IP ranges for each country. These lists are continually updated and sent to the FGT. FortiOS only has to compile the blocked address ranges and offload it to the NPU.

    The FGTs I manage (in Europe) get molested mainly by hosts in Brazil, China, Viet Nam, Ukraine. I can rule out any legitimate access from these countries. So, incoming traffic is reduced by, say, 80%.


    Ede

    "Kernel panic: Aiee, killing interrupt handler!"
    Ede"Kernel panic: Aiee, killing interrupt handler!"
    Labels
    Top Kudoed Authors