Page 1 of 1

How to stop port scanning attacks every hour

Posted: 02 Jan 2015, 13:25
by Gaurav
My 15 days old server receiving port scanning attack almost every hour. I configured CSF and its doing great job in blocking those port scanning attack and sending me an alert email with the details.

Wondering if there is a way I can completely disable the port scanning feature on my dedicated server with help of csf......?

Below are few sample of blocked alerts

Code: Select all

Time:    Fri Jan  2 16:17:00 2015 +0400
IP:      89.242.44.165 (GB/United Kingdom/host-89-242-44-165.as13285.net)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Jan  2 16:16:18 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=7287 DF PROTO=TCP SPT=55019 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:16:19 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=7575 DF PROTO=TCP SPT=55059 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:16:21 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=7664 DF PROTO=TCP SPT=55019 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:16:22 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=7739 DF PROTO=TCP SPT=55059 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:16:27 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=8376 DF PROTO=TCP SPT=55019 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:16:28 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=8689 DF PROTO=TCP SPT=55059 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:16:46 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=11782 DF PROTO=TCP SPT=55451 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:16:49 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=12440 DF PROTO=TCP SPT=55451 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:16:51 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=12649 DF PROTO=TCP SPT=55479 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:16:54 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=12720 DF PROTO=TCP SPT=55479 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:16:55 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=89.242.44.165 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=12840 DF PROTO=TCP SPT=55451 DPT=25566 WINDOW=8192 RES=0x00 SYN URGP=0


Time:    Fri Jan  2 16:04:06 2015 +0400
IP:      176.10.228.193 (SE/Sweden/h-228-193.a185.priv.bahnhof.se)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Jan  2 16:00:08 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=18519 DF PROTO=TCP SPT=49840 DPT=25769 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:00:08 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=18536 DF PROTO=TCP SPT=49843 DPT=25565 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:00:11 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=18687 DF PROTO=TCP SPT=49840 DPT=25769 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:00:11 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=18694 DF PROTO=TCP SPT=49843 DPT=25565 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:00:17 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=18731 DF PROTO=TCP SPT=49840 DPT=25769 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:00:17 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=18732 DF PROTO=TCP SPT=49843 DPT=25565 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:03:54 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=23354 DF PROTO=TCP SPT=50003 DPT=25769 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:03:54 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=23364 DF PROTO=TCP SPT=50004 DPT=25565 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:03:57 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=23518 DF PROTO=TCP SPT=50003 DPT=25769 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:03:57 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=23523 DF PROTO=TCP SPT=50004 DPT=25565 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 16:04:03 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=23598 DF PROTO=TCP SPT=50003 DPT=25769 WINDOW=8192 RES=0x00 SYN URGP=0



Time:    Fri Jan  2 13:12:06 2015 +0400
IP:      78.72.163.51 (SE/Sweden/h51n6-j-a31.ias.bredband.telia.com)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Jan  2 13:09:15 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=38565 DF PROTO=TCP SPT=56871 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:09:17 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=53462 DF PROTO=TCP SPT=56871 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:09:19 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=6273 DF PROTO=TCP SPT=56871 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:09:23 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=54 ID=17213 DF PROTO=TCP SPT=56871 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:09:31 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=54 ID=58731 DF PROTO=TCP SPT=56871 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:11:58 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=21421 DF PROTO=TCP SPT=58336 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:11:59 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=61165 DF PROTO=TCP SPT=58336 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:12:00 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=8469 DF PROTO=TCP SPT=58336 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:12:01 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=26585 DF PROTO=TCP SPT=58336 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:12:02 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=19317 DF PROTO=TCP SPT=58336 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:12:03 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=78.72.163.51 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=37800 DF PROTO=TCP SPT=58336 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0






Time:    Fri Jan  2 13:10:55 2015 +0400
IP:      81.187.170.190 (GB/United Kingdom/190.170.187.81.in-addr.arpa)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Jan  2 13:09:52 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=57 ID=35150 DF PROTO=TCP SPT=29542 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:09:53 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=57 ID=29905 DF PROTO=TCP SPT=29542 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:09:54 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=57 ID=18093 DF PROTO=TCP SPT=29542 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:09:55 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=57 ID=5103 DF PROTO=TCP SPT=29542 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:09:56 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=57 ID=57590 DF PROTO=TCP SPT=29542 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:09:57 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=57 ID=38160 DF PROTO=TCP SPT=29542 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:09:59 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=57 ID=22429 DF PROTO=TCP SPT=29542 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:10:03 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=57 ID=1488 DF PROTO=TCP SPT=29542 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:10:12 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=57 ID=31193 DF PROTO=TCP SPT=29542 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:10:53 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=57 ID=38551 DF PROTO=TCP SPT=29699 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 13:10:54 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=81.187.170.190 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=57 ID=55207 DF PROTO=TCP SPT=29699 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0







Time:    Fri Jan  2 12:27:14 2015 +0400
IP:      76.89.33.176 (US/United States/cpe-76-89-33-176.natsoe.res.rr.com)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Jan  2 12:24:32 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=22226 DF PROTO=TCP SPT=46045 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 12:24:33 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=21342 DF PROTO=TCP SPT=46045 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 12:24:34 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=16936 DF PROTO=TCP SPT=46045 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 12:24:35 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=4710 DF PROTO=TCP SPT=46045 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 12:24:36 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=15316 DF PROTO=TCP SPT=46045 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 12:24:37 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=10158 DF PROTO=TCP SPT=46045 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 12:24:39 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=6803 DF PROTO=TCP SPT=46045 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 12:24:43 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=49 ID=5760 DF PROTO=TCP SPT=46045 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 12:24:51 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=49 ID=30585 DF PROTO=TCP SPT=46045 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 12:27:08 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=62802 DF PROTO=TCP SPT=33058 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 12:27:09 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=76.89.33.176 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=49 ID=55088 DF PROTO=TCP SPT=33058 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0








Time:    Fri Jan  2 07:32:47 2015 +0400
IP:      71.75.200.51 (US/United States/cpe-071-075-200-051.carolina.res.rr.com)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Jan  2 07:30:37 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=10721 DF PROTO=TCP SPT=59224 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 07:30:40 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=10801 DF PROTO=TCP SPT=59224 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 07:30:46 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=10874 DF PROTO=TCP SPT=59224 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 07:31:45 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14973 DF PROTO=TCP SPT=59329 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 07:31:48 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=15151 DF PROTO=TCP SPT=59329 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 07:31:54 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=15530 DF PROTO=TCP SPT=59329 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 07:32:11 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=17165 DF PROTO=TCP SPT=59390 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 07:32:14 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=17529 DF PROTO=TCP SPT=59390 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 07:32:20 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=18166 DF PROTO=TCP SPT=59390 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 07:32:36 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=20883 DF PROTO=TCP SPT=59452 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 07:32:39 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=71.75.200.51 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=21233 DF PROTO=TCP SPT=59452 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0






Time:    Fri Jan  2 01:24:04 2015 +0400
IP:      74.103.156.115 (US/United States/pool-74-103-156-115.phlapa.fios.verizon.net)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Jan  2 01:22:57 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=12774 DF PROTO=TCP SPT=51296 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 01:23:01 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=12775 DF PROTO=TCP SPT=51296 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 01:23:07 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=12776 DF PROTO=TCP SPT=51296 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 01:23:51 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=65406 DF PROTO=TCP SPT=56764 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 01:23:52 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=40424 DF PROTO=TCP SPT=56764 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 01:23:53 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=55390 DF PROTO=TCP SPT=56764 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 01:23:54 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=29362 DF PROTO=TCP SPT=56764 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 01:23:55 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=52222 DF PROTO=TCP SPT=56764 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 01:23:56 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=9131 DF PROTO=TCP SPT=56764 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 01:23:58 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=34236 DF PROTO=TCP SPT=56764 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0
Jan  2 01:24:02 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=50 ID=37661 DF PROTO=TCP SPT=56764 DPT=25817 WINDOW=65535 RES=0x00 SYN URGP=0






Time:    Fri Jan  2 03:39:36 2015 +0400
IP:      74.103.156.115 (US/United States/pool-74-103-156-115.phlapa.fios.verizon.net)
Hits:    11
Blocked: Temporary Block

Sample of block hits:
Jan  2 03:36:14 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=12828 DF PROTO=TCP SPT=1025 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 03:36:17 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=12829 DF PROTO=TCP SPT=1025 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 03:36:23 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=12830 DF PROTO=TCP SPT=1025 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 03:39:05 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=12831 DF PROTO=TCP SPT=58357 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 03:39:08 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=12832 DF PROTO=TCP SPT=58357 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 03:39:14 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=12833 DF PROTO=TCP SPT=58357 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 03:39:19 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=12834 DF PROTO=TCP SPT=58388 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 03:39:22 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=12835 DF PROTO=TCP SPT=58388 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 03:39:28 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=12836 DF PROTO=TCP SPT=58388 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 03:39:30 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=12837 DF PROTO=TCP SPT=58419 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0
Jan  2 03:39:33 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=74.103.156.115 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=12838 DF PROTO=TCP SPT=58419 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0

Re: How to stop port scanning attacks every hour

Posted: 03 Jan 2015, 15:30
by jcats
Says right in the csf.conf how to disable port scanning.

# SECTION:Port Scan Tracking

# Set PS_INTERVAL to "0" to disable this feature. A value of between 60 and 300
# would be sensible to enable this feature

Make sure to restart CSF after

Re: How to stop port scanning attacks every hour

Posted: 03 Jan 2015, 17:00
by Gaurav
Thanks jcats,

That seems very obvious now in csf config itself. Appreciate your help in pointing in right direction.

Any idea if there is any downside for disabling it completely. I mean why csf left this open by default in first place......?

Re: How to stop port scanning attacks every hour

Posted: 06 Jan 2015, 12:37
by jcats
Sorry I thought you wanted to disable the port scanning feature CSF offers. By default, CSF does not open 25566, is this where the traffic is always hitting when looking at the logs? All I can find for 25566 is a Minecraft port, do you run a MC server? If not, then you should be safe to close that port if its not already.

From the logs you provided it does indicate that CSF is already blocking them:

"Firewall: *TCP_IN Blocked*"

You can always disable the actual emails but leave port scan enabled, by setting "PS_EMAIL_ALERT" to 0

Re: How to stop port scanning attacks every hour

Posted: 07 Jan 2015, 06:19
by Gaurav
Well thanks to OVH who sells crappy IP address with their new servers and that's where I get stuck with this situation. They are so robotic and not at helpful in changing this rotten IP who hits me with attack every hour.

I dont want to disable the alert for security reason, as many times it tells interesting insight on who is getting block for what offence. Coming back to port scanning issue, my server is typical web and mail server and not MC. May be this IP was assign earlier on MC type server. Look at the one liner from few attacks I extracted and it gets on several different ports.

May be you can advise something else after seeing below log. Thanks for your help.

Code: Select all

Jan  7 05:41:36 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=58.7.192.25 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=51869 DF PROTO=TCP SPT=62305 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0

Jan  7 00:20:54 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=108.2.123.23 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=114 ID=14520 DF PROTO=TCP SPT=56856 DPT=25817 WINDOW=8192 RES=0x00 SYN URGP=0

Jan  7 02:19:13 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=176.10.228.193 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=120 ID=2791 DF PROTO=TCP SPT=50862 DPT=25769 WINDOW=8192 RES=0x00 SYN URGP=0

Jan  7 00:41:00 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:04:00:08:00 SRC=83.254.176.91 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=6918 DF PROTO=TCP SPT=62984 DPT=25817 WINDOW=9652 RES=0x00 SYN URGP=0

Jan  7 00:30:38 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=86.159.14.173 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=55 ID=34265 DF PROTO=TCP SPT=53768 DPT=25813 WINDOW=65535 RES=0x00 SYN URGP=0

Jan  7 00:09:11 server kernel: Firewall: *Port Flood* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=189.217.75.55 DST=94.23.6.25 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=40049 PROTO=TCP SPT=48307 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

Jan  6 17:24:39 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=2.108.11.118 DST=94.23.6.25 LEN=52 TOS=0x00 PREC=0x00 TTL=121 ID=22391 DF PROTO=TCP SPT=49919 DPT=25639 WINDOW=8192 RES=0x00 SYN URGP=0

Jan  6 11:03:39 server kernel: Firewall: *Port Flood* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=223.30.109.204 DST=94.23.6.25 LEN=48 TOS=0x00 PREC=0x00 TTL=49 ID=43561 PROTO=TCP SPT=54020 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

Jan  6 07:11:39 server kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=4c:72:b9:4f:05:f5:00:22:91:08:1c:00:08:00 SRC=124.148.61.109 DST=94.23.6.25 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=61910 DF PROTO=TCP SPT=50136 DPT=25605 WINDOW=65535 RES=0x00 SYN URGP=0

Re: How to stop port scanning attacks every hour

Posted: 07 Jan 2015, 11:54
by keat63
I have one very similar.


You could always add
89.242.44.165 #do not delete
or maybe
89.24.0.0./16 #do not delete
to your deny ip list.

This will only block that IP (or range) though, so if they are using a proxy (is is the case for me) then the IP is constantly changing.

A block by Mac address would be a nice option.