Hi all

I have a server which I manage with SSH. There are a few times that my server firewall blocked my IP because it detected my pc is doing port scanning on the server. So I would like to identify if there's any port scanning application installed in my openSuSe, which made port scanning to the server. So how can I identify this ? using netstat to detect outgoing traffic from my pc ?

Thanks

To be sure I have this correct, you have a server that has blocked your PC because of port scanning based upon IP address.
1 - Do the server and PC have public facing IP addresses or is this completely on a private LAN?
2 - If they have public IP addresses, is your PC static or Dynamic. In other words, could someone else have had your IP address and used it to scan, which caused you to get banned?
3 - what application are you using to perform the blocking and is it temporary or permanent?
4 - are you running any server applications on your PC that could have contributed to a vulnerability?
5 - can you correlate the time stamps from the logs to verify that your PC was on and had Internet access at the time.
6 - have you run any tools like nmap against your server from your PC which can appear as port scanning.

Now, with regards to checking your PC, the first thing I would do is watch and examine the network connections to see if anything is at work. While your doing this, you should NOT be doing general web browsing because this will open a lot of misc connections, mostly from ads. Second, look at the process tree to see what is running on your system. Three, look for any hidden files, especially in strange areas like /tmp, or /dev.

Here is a link to the CERT intruder detection checklist. I am posting a link to it because I think it describes some tests you want to run. In particular, you will also want to examine your cron tables very carefully because such an application may wake up periodically.

Here is a set of commands that will give you the process tree and help you examine the cron tasks. The other commands, such as finding files, are contained in the CERT checklist that I linked to above:

1 members found this post helpful.

Hi,

Thanks for your generous reply.

1 - Do the server and PC have public facing IP addresses or is this completely on a private LAN?
The server, Yes, it's a VPS server with public IP. For local PC, it's behind the router with LAN IP.

2 - If they have public IP addresses, is your PC static or Dynamic. In other words, could someone else have had your IP address and used it to scan, which caused you to get banned?
The server IP is static, while the PC is dynamic.

3 - what application are you using to perform the blocking and is it temporary or permanent?
The blocking was done by the preinstalled Cpanel program in the server,
server log
Apr 1 17:50:37 lfd[26288]: *Port Scan* detected from 123.123.123.123 (CountryCode/MyCountry/-). 11 hits in the last 291 seconds - *Blocked in csf* for 3600 secs [PS_LIMIT]
Hmn, seemed like it was due to the Login Failure Daemon (lfd), I remembered I was login in to the Mysql server using the Mysql WorkBench and had failed a few times. But I did not do till 11 hits.


4 - are you running any server applications on your PC that could have contributed to a vulnerability?
I am running apache, mysql server. But I don't think this has caused the issue on the server.

5 - can you correlate the time stamps from the logs to verify that your PC was on and had Internet access at the time.


6 - have you run any tools like nmap against your server from your PC which can appear as port scanning.
Not, I did not.

I will check others when I get to my PC

Thanks.

You could be having a false positive type issue where your activity or login is mimicking a port scan. My initial thought was that the application is most likely looking at various logfiles and using a REGEX match against certain keywords, but it looks like LFD also takes into account port information, which could explain the error.

Have a look at this thread please. I am wondering if the LFD is interpreting your MySQL Workbench traffic as a port scan. You might want to take a look at the port used, your lfd log to correlate ports and access times, and then if it looks to be the issue, whitelist the port in your configuration file.

Yes, your wondering is right

It was due to my pc IP had changed and no longer in the allowed host to access MySQL server, so when I tried to login with Mysql Workbench, it fail and if I try few more time, my server will log the same error of port scanning had happened.

Thanks