Port scanning from VM users

Question

After receiving an Abuse Notice from my server provider, i was wondering how they make to check up all my traffic and send me these abuses. I would possible like to know if there is some kind of software that i can download so that i can stop my clients from doing malicious activities.. or atleast notice me before my provider treathens me.

I have seen some things like Snort, NodeWatch and VPSmon, but none of them 'Control' VPS machines from port scanning.

Any help out here would be far more than appreciated

Edit : I am not trying to stop people from the outside to port scan, but people from the inside to port-scan the internet, AKA my clients from doing malicious activites :)

Did your provider tell you specifically that the malicious activity was an outbound port scan? — joeqwerty, Jan 26 '15 at 03:40
I had a huge list, all going from one of my IP to another random server. Totalling 21K scans.. — Stacknerd, Jan 26 '15 at 03:45

score 0 · Answer 1 · edited Jun 11 '20 at 10:02

0

Outbound ACL's

At our firewall configure outbound ACL's so your users can can only consume the services on the Internet that you allow.

I imagine that an outbound port http and https rule with an any>any would be fine. DNS would be consumed internally (assumption on my part) and that would probably solve your problem.

edited Jun 11 '20 at 10:02

Community

1

answered Jan 26 '15 at 00:51

Citizen

1,103
1
10
19

My clients type are VPS, meaning they can basically do anything themselves. You think that i could apply firewall limitation on a VPS service ? Im using Linux SolusVM on openVZ containers – Stacknerd Jan 26 '15 at 01:57

score 0 · Answer 2 · answered Jan 27 '15 at 02:20

0

Since you are a VPS provider and I assume your customers get root on their VPS, there is very little you can do on the network stack, since filtering won't block or detect everything and very likely you'll get a lot of false poitives. You could configure iptables to filter certain repeting tcp flags in short time span intervals, log them and use something to send you notifications

Only other solution I can think of is scanning your customers filesystem with a rootkit scanner such as https://rootkit.nl/projects/rootkit_hunter.html or similar looking for know tools. But you might face privacy concerns from you customers.

answered Jan 27 '15 at 02:20

E. Celis

101
3

If i configure IPTables on the main machine, will it actually block the traffic going to the other VPS machines ? – Stacknerd Jan 27 '15 at 16:45
No, as I said you can setup iptables to filter and log only specific tcp flags.Look here for an [example](https://rmohan.com/?p=957) Of course you'll need to spend some time fine tunning the ruleset and dealing with some complains. – E. Celis Jan 27 '15 at 21:51

score 0 · Accepted Answer · answered Feb 08 '15 at 21:50

Using something called PSAD, it is now blocking port scans. pSAD check the logs and you can set danger levels such example : 15 scans = level1, 50 scans = level2 etc.. and get notified on a certain level of danger.

If you have any problems of port scannings, I highly recommend looking at the pSAD http://cipherdyne.org/psad/

It does the intrusion detection automatically, and you dont need to go change things in the IP tables as it takes care of this itself.

Thanks to @ecelis for his comment as it brough me towards this discovery.

Port scanning from VM users

3 Answers3

Outbound ACL's