In order to block port scanners on Linux, i have found some rules on iptables to block attacker IP address.
These rules work correctly and it blocks the attacker, and logs the attacker ip address in the kernel.log file.
The questions is, why these rules are blocking TCP port 139(net-bios)port, to prevent the attacker? i have gone through the traffic capture, and there is no evidence that nmap starts port scanning with port 139 on TCP.
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
Best Answer
Netbios is a LAN protocol, not a WAN protocol and traffic on that port on an internet facing system is almost always going to be suspect/invalid.
Such traffic can therefore be used as indication that a remote system is probing random ports on your internet server. The logic that traffic on one single invalid port equals a portscan is a bit flawed though, in my opinion.