You will always see constant scanning, its inevitable. All those automated scanners out there now its going to happen.
Depending on how you have your firewall setup it really depends on what services you have running behind that firewall. Once you open up that layer to be exposed, another attack vector is exposed. Are you mitigating those risks, or simply looking at the hardware supposedly preventing people from scanning your network? Once the "information gathering" is done then its on to what's exposed through your firewall. You also need to look into OS layer security once the traffic is passed through the firewall. You can't rely on just one layer at the gateway/fw to protect your whole network. Look into locking down different services, look up best security practices for them. You definitely should start reading up on web application security (if your network is configured this way) Also as far as pf goes, look into creating synproxy state rules for your firewall and whatever services/ports you allow through. You wouldn't want to leave these rules enabled by default, but when your under, say, a DDoS attack they come in handy. Look into pf rate limiting, monitor how many connections you receive on an hour basis and setup your firewall rules to "rate limit" these connections to different services on your LAN. (This also helps in DoS situations) this is all assuming your running web, mail, DNS etc. Tailor it to your needs. (I know this is an OpenBSD list) but I have a few Linux boxes I run OSSEC on and it works great for the hack attempts ONCE the traffic has passed through the firewall. It uses active response features and rule sets to create iptables and host deny rules to block the offender. If a common web attack is detected, like a SQLi attempt that ip's traffic is dropped (for as long as I've got the active response features set to block them). Hence, this is ALL after traffic has been allowed through your firewall. I think you get my point. Bottom line is, there is no sure fire way to just "prevent" it unless you do your research and learning. Do a minor penetration test on your network so you can see what kind of information your system(s) is throwing out and start from there. Best of luck and don't hesitate to ask questions. -- Michael D. Wood www.itsecuritypros.org Daniel Bertrand <danieljamesbertr...@me.com> wrote: >Hello, > >Thanks for providing such great software. It really is much appreciated. > >I was wondering what your stance is about the constant hack attempts on >machines on our ISP networks.. > >I see CONSTANT scanning for ports from all over the world, mostly from Italy, >Russia, and China. > >Every firewall/router product that I have purchased has been compromised so >far. > >Is there really a secure, trustworthy adaptive filtering firewall >configuration for each OS configuration out there? > > >Most people who are on the net are completely oblivious and helpless when it >comes to this constant trolling for access, they have no idea what to do to >secure their machines. > > >Shaw has neglected me and left me for dead when I ask for better control and >protection from malicious attackers. > > >What do I do to make sure I don't spend money on new hardware but get a PF >configuration that I can trust besides "block in all"? > >Are there published rulesets for Mac/Windows etc. that we can just drop into >our pf.conf and /etc/pf.anchors/ directory? > >Regards, > >Dan >
