1

Does normal network traffic sent out by software or anything else use port scanning for legitimate reasons?

I'm using psad on my linux server and am unsure if setting the auto-ban IP feature on danger level 1, which equals to 5 sent packets, would accidentaly ban justified traffic and therefor users.

sysadt
  • 11
  • 1
  • 1
    I port scan all the time, like when I forget what the IP addresses of my machines are. Lots of software also do auto-discovery by spamming out network packets (either broadcast or just sending to every IP on the local network), which can be detected as "port scanning" by some security software. Also keep in mind that poor network conditions might trip your IDS, since a client missing multiple ACK packets may just keep sending new handshakes. – user Nov 12 '20 at 20:43
  • I know port scanning can be used for pen testing or locating devices in local networks, but my question was focussed on legitimate software using it for legitimate reasons. I disbelieve that broadcasts will be interpreted as port scanning, but your point with missing ACK packets is reasonable I believe. – sysadt Nov 13 '20 at 20:35
  • Legal penetration testing uses legitimate software for legitimate reasons. If you can detect vulnerabilities in your software like an attacker does, you can defend against those vulnerabilities. Running a port scan with nmap doesn't automatically make you a criminal (in most jurisdictions). – user Nov 13 '20 at 20:47
  • If you have a lot of users you should try to set it up to log "scan" attempts to see if any of your users are being detected. If it's just a web server that you're running, then there shouldn't be any traffic that resembles a "port scan" or similar (since web browsers and most other network software connects to specific, predefined ports). – user Nov 13 '20 at 20:54
  • Sometimes certain software can interpret the source port as the destination port, and different connections from a client all use different source ports. Due to this, a false alarm can be generated, especially on a small number of ports such as 5. I would increase the number of attempts before banishing the IP. – john doe Nov 13 '20 at 21:22

0 Answers0