Re: How can we block Nmap and other Port scanners

JunedRafeek_kit · ‎2018-12-11

How can I block Nmap scan from Outside? .

VAPT report submitted by external vendors used nmap to scan our network and checkpoint gave pretty much all the information which can used further for attacks. How can we block such request on checkpoint?

Sample ::

Starting Nmap 7.70 ( https://nmap.org ) at 2018-12-11 17:51 Standard Time
Nmap scan report for 94.X.X.X
Host is up (0.0086s latency).
Not shown: 95 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Check Point NGX Firewall-1
443/tcp open ssl/http Connectra Check Point Web Security httpd
444/tcp filtered snpp
Aggressive OS guesses: Linux 2.6.18 (94%), Linux

Martin_Raska · ‎2018-12-11

How to configure Security Gateway to detect and prevent port scan - sk110873

In SmartEvent you have default events predefined which are not activated by default.

Danny · ‎2018-12-11

https://community.checkpoint.com/message/33652-howto-react-on-check-point-information-disclosure

ED · ‎2018-12-12

Hi,

Have you checked your IPS protections and made sure that the protection "Nmap Scripting Engine Scanner over HTTP request" is set to prevent?

JunedRafeek_kit · ‎2018-12-12

Yeah that is active but Nmap request still get through.

ED · ‎2018-12-13

Have you tried to follow the sk suggested by Martin? Nmap as portscanner has been along for ages (tons of options to avoid being detected) and as long as you have services open for "anyone" it will show on port scanners. If you have services exposed for anyone on the Internet then you should not be so worried being port scanned. As long as you have the latest updates and patches for the servers behind these ports (also IPS protections set to prevent for these services), there is not so much more you can do. Portscans happens all the time and are not magical hacking fairy dust.