how to block port scan and open port – How to Close Unused Open Ports: TCP and UDP Port Scan
- Open port: When anyone asks, the computer responds that there is a service listening on this port. This means anything coming to this port will get processed by a program (a service) running on that computer.
- Closed port: When anyone asks, the computer responds that there are no services listening on that port. The akser will know there is a computer responding at the address.
- Stealth port: When anyone asks, they get no reply. The point is to hide if there is a computer at the address at all. It might not be very effective, though, as joschi poits out in the comments.
Open ports allow hackers to:
- Configure the service to distribute content: Unused services tend to be left with default configurations, which are not always secure or maybe using default passwords.
- Exploit old versions of unused software: Unused services tend to be forgotten, which means that they not get updated. Old versions of software tend to be full of known vulnerabilities.
- Gain better information on your network: Some services give an attacker easy access to certain information, at the very least, they can have a very good guess on the operating system that the server is running, which is already a good head start.
So now, that you are armed with the same information that an attacker would have when probing your server, you should to do the following:
- Identify the ports that you want to have running on the server. For example, if you are running a web and an FTP server, you will need ports 80 for web, 20 and 21 for FTP.
- If the host being scanned is a firewall, you will need to review any port address translation rules configured in the firewall / router, and consult your firewall documentation.
- Identify the processes listening on the ports that the Acunetix Online network scan has identified. You will need to close these or block them from being exposed on the Internet.
How to identify the processes that are keeping ports open
Most Linux distributions include the the netstat command, however the switches are different than the one included in Windows. Proceed as follows:
- On the scanned server, open a terminal session,
- Run the command: netstat -tulpn. This will list all daemons (services) listening for both TCP and UDP network traffic on the machine. The last column shows the process id of the process for the specific network connection. If this information is not being displayed, it is most likely because the user you are using does not have sufficient privileges. You may need to use sudo to get access to this information.
- You will probably want to filter this down using the grep command.
For example, if you only want to list the network connections on port 3306, use:
netstat -tulpn | grep ":3306"
The Port Scan Attack Detector (psad) is an excellent tool for detecting various types of suspicious traffic, including port scans from popular tools such as Nmap, DDoS attacks, and other efforts to brute force certain protocols on your system. By analyzing firewall logs, psad can not only pick up on certain attack patterns, but even manipulate firewall rules to properly respond to suspicious activity. This article will walk the reader through an EnGarde Secure Linux implementation of psad, from the initial iptables rules setup to the deployment of psad on the server side. By the end of the article, the user will be able to detect certain Nmap scans and have psad respond to these scans by blocking the source.