cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Carlos_Jara
Nickel

How can I avoid "Host Port" scan?

Hi,

We have a lot of "Host Port Scan" events in.

How can I avoid "Host Port Scan"?

In "Core Protecctions" we can only choice between "Accept" & "Inactive".

Could youo help me?

Tags (1)
13 Replies
ED
Silver

Re: How can I avoid "Host Port" scan?

0 Kudos
Highlighted
Employee+
Employee+

Re: How can I avoid "Host Port" scan?

What do you mean by avoid? On the internet there's almost no way to avoid it, it happens all the time and everywhere. 

Keep in mind that a portscan could be a first phase of an attack, looking at the cyber kill chain (reconnaissance). The amount of info can be annoying if it happens frequently but I would always keep this logged. Unless it's false positive (which I doubt). 

I believe that the protection is enabled by default only for the strict profile. 

HTH

/Martijn

0 Kudos
Vladimir
Pearl

Re: How can I avoid "Host Port" scan?

Use options 4 or 5, depending on the desired outcome.

Olga_Kuts
Silver

Re: How can I avoid "Host Port" scan?

Hi Vladimir,

What mechanisms use this method? Is this method relevant for VSX infrastructure? For example, we try to use method which Enis Dunic described, but VSX doesn't support SAM mechanism. 

Employee+
Employee+

Re: How can I avoid "Host Port" scan?

VSX R80.20 does support the "fwaccel dos" commands Smiley Happy 

'fwaccel dos' and 'fwaccel6 dos' 

fwaccel dos pbox 

fwaccel dos whitelist 

'fwaccel dos blacklist' and 'fwaccel6 dos blacklist' 

'fwaccel dos rate' and 'fwaccel6 dos rate' 

+

'fw sam_policy add' and 'fw6 sam_policy add' 

fw sam_policy add' and 'fw6 sam_policy add'

Description

The 'fw sam_policy add' and 'fw6 sam_policy add' commands let you:

  • Add one Suspicious Activity Monitoring (SAM) rule at a time.
  • Add one Rate Limiting rule at a time.

Notes:

  • You can run these commands interchangeably: 'fw sam_policy add' and 'fw samp add'.
  • Security Gateway stores the SAM Policy rules in the $FWDIR/database/sam_policy.db file.
  • The SAM Policy management file is $FWDIR/database/sam_policy.mng.
  • You can run these commands in Gaia Clish, or Expert mode.
  • Configuration you make with these commands, survives reboot.
  • VSX Gateway does not support Suspicious Activity Policy configured in SmartView Monitor. See sk79700.
  • The SAM Policy rules consume some CPU resources on Security Gateway. We recommend to set an expiration that gives you time to investigate, but does not affect performance. The best practice is to keep only the SAM Policy rules that you need. If you confirm that an activity is risky, edit the Security Policy, educate users, or otherwise handle the risk.
  • On VSX Gateway, first go to the context of an applicable Virtual System.

    In Gaia Clish, run: set virtual-system <VSID>

    In Expert mode, run: vsenv <VSID>

  • In Cluster, you must configure the SecureXL in the same way on all of the cluster members.
0 Kudos
Vladimir
Pearl

Re: How can I avoid "Host Port" scan?

Hmm... I really am not sure what the underlying mechanism is.

Can someone from Check Point answer this question:

When scanning or DOS rules are configured in the SmartEvent with the action set to "Block Source" how is it executed in simple (i.e. single gateway or cluster) and in VSX environments?

Employee+
Employee+

Re: How can I avoid "Host Port" scan?

fw sam 

  • SAM Requests are stored in the kernel table sam_requests on the Security Gateway.
  • IP Addresses that are blocked by SAM rules, are stored in the kernel table sam_blocked_ips on the Security Gateway.

sam_alert:
This tool executes FW-1 SAM actions according to information received through Standard input.
This tool is to be used for executing FW-1 SAM actions with FW-1 User Defined alerts mechanism.

sam_alert -t 120 -I -src :

This will set an automatic SAM rule (for all Security Gateways managed by this Security Management Server / Domain Management Server) with the Source IP address of the host that caused a hit on the IPS protection "Host Port Scan" during 120 seconds.

HTH,

Ofir S

Vladimir
Pearl

Re: How can I avoid "Host Port" scan?

If the SmartEvent actions are supposed to trigger SAM rules, is there enough intelligence in them to execute on VSX?

Olga_Kuts
Silver

Re: How can I avoid "Host Port" scan?

Hi Vladimir,

One more question: where can I see IP addresses, which were blocked?

Vladimir
Pearl

Re: How can I avoid "Host Port" scan?

It should be in a SmartEvent view, not the SmartLog.

Olga_Kuts
Silver

Re: How can I avoid "Host Port" scan?

Hi Vladimir,

Yes, I understand this, but as I understand I will see only some events. Where can I see a list of blocked IPs by "Port Scan" signature?

Vladimir
Pearl

Re: How can I avoid "Host Port" scan?

I am actually not certain that you can see it in the list format. If the scan is blocked by creating a SAMP rule, and I do not see any other way it can be done without policy installation, it is added to the gateways kernel table.

You can see them using "fw tab -t sam_blocked_ips" in hex, but will have translate the output to readable yourself.

Alternatively, you can see the rules and the IPs blocked by SAMP here:

Re: How can I avoid "Host Port" scan?

This Host port scan provides many features as I know this is Shows the open TCP ports, services, and version information, Includes operating system information and reverse DNS results, The original Nmap output is also included.