Monitor ports to detect scans

Nemesis77swe · July 29, 2021, 5:56pm

Hi all!
I'm Running a Vilfo (vilfo.com) router, that's running on LuCI openwrt-21.02.

is there anyway to monitor all ports, to detect(and ban) anybody that's running a scan on my wan ip?

vgaetera · July 29, 2021, 7:00pm

All WAN ports are closed by default, so there's nothing to scan.

frollic · July 29, 2021, 8:34pm

What he said, but feel free to open some, to detect the scans....

IanC · July 29, 2021, 9:52pm

Even if you spotted them they'd probably be using a transient or hijacked address, and have plenty of other ones to attack you from if they sense a vulnerability.

Just for clarity though, do you mean you have services running on a WAN port that you forward to LAN and you want to block an IP from accessing that service if you see also see them probing another port?

EDIT: Meant to say that this might help you: https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_traffic_logging

Doppel-D · July 30, 2021, 3:58am

It seems you forgot some ironic or sarcastic tags in your post ;- )

flygarn12 · July 30, 2021, 5:45am

In firewall WAN settings, turn on logging.
But this will be a lot of logging data so you need to have a more serious log handling system than the standard log in OpenWRT.

BanIP also has a setting to scan the WAN port and ban illegal brute force attempts.

IanC · July 30, 2021, 6:47am

BTW, if you want to have some services available externally for occasional use (eg VPN or SSH) while deterring baddies then you might want to take a look at "port knocking": https://openwrt.org/docs/guide-user/services/remote_control/portknock.server. In summary, you have to make a "magic knock" on other ports before the actual service port becomes active.

flygarn12 · July 30, 2021, 7:07am

My own experience of DoS attacks on the 1194 OpenVPN port is if you look in the port scan log and compare that with the TCP/UDP registered port list you will notice that all the scanned ports aren’t random spread out all over the place. They are handpicked for the standard registered communications ports used.

So the easiest way to be “left alone” on for example VPN tunnels is to go non standard because no one is looking at those ports no one use. Unless you are caught in a targeted attack but I find that highly unlikely.

Nemesis77swe · July 30, 2021, 10:02am

[quote="IanC, post:7, topic:102557"]

It's worth a look, thx

Nemesis77swe · July 30, 2021, 10:06am

Thx, that's why I was looking for a monitor that only logs "scans", is there anyway to log to external server?
Banip?, haven't heard about that, got link?

frollic · July 30, 2021, 10:07am

flygarn12 · July 30, 2021, 10:14am

Yes, If I remember right it is called external log IP or something like that in system settings.
You can set port also.

Yes! Openwrt.org and then go to packages.

Nemesis77swe · July 30, 2021, 10:19am

oh, didn't see it in "lucic's" list of available packages (software), didn't know there was others not listed there..