Port Scanning Countermeasures

Administrators often use port scanning techniques to verify the security policies of their networks, whereas attackers use them to identify open ports and running services on a host with the intent of compromising the network. Furthermore, users occasionally leave needless open ports on their systems without realizing it. Such open ports are exploited by an attacker to launch assaults. But as long as you take the following precautions to safeguard your system or network from port scanning, there's no need to worry.

Continue reading Part 1 and Part 2 of Port Scanning Techniques. 

  • When the attackers use port scanning tools to send probes, the firewall should be able to identify them. It only needs to look at the TCP header to prevent traffic from passing through it. Before permitting traffic to flow via a packet, the firewall has to have the capability to scrutinize the data enclosed within it.
  • Try using the port scanning tools on network hosts to see if the firewall can correctly identify port scanning activities. 
  • Set up commercial firewalls to prevent SYN floods and quick port scans on your network. On Linux/Unix systems, you can use programmes like port entry to identify and stop attempts at port scanning.
  • If a commercial firewall is in use, then ensure that:
    • It is patched with the latest updates
    • It has correctly defined antispoofing rules
  • Ensure that the anti-spoofing rules are configured.
  • Ensure that the router, IDS, and firewall firmware are updated with their latest releases/versions.
  • When it comes to detecting stealth scans, certain firewalls perform better than others. For instance, while some firewalls entirely disregard FIN scans, several have special settings to identify SYN scans. 
  • Hackers sniff the details of a remote OS using tools like Nmap and OS detection. In these situations, it is crucial to use intrusion detection systems.
  • Block unwanted services running on the ports and update the service versions. 
  • Ensure that the versions of services running on the ports are non-vulnerable. 
  • Because an attacker will attempt to enter through any open port, keep as few ports open as possible and filter the rest. Lock down the network, filter the following ports, and block unauthorised ports at the firewall using a custom rule set: 135-159, 256-258, 389, 445, 1080, 1745, and 3268.
  • Block inbound ICMP message types and all outbound ICMP type-3 unreachable messages at the border arranged in front of a company's main firewall. 
  • Attackers attempt to use an intermediary host that can communicate with the target to execute source routing and send packets to the targets—which might not be accessible over the Internet. Therefore, you need to be sure that your router and firewall are capable of blocking these source-routing methods.
  • Make sure that no specific source port or source-routing technique may be utilised to circumvent the routing and filtering mechanisms at the routers and firewalls, respectively.
  • Test your IP address space using TCP and UDP port scans as well as ICMP probes to determine the network configuration and accessible ports.

No comments:

Post a Comment