I've installed this new firewall and it keeps telling me about these port scan attacks.
It seems to block them and I can back trace to see where they come from, or some of them I can anyway.

What should I do make a complaint?

role: Modem and DSL Team
address: Energis UK
address: Melbourne Street
address: Leeds, LS2 7PS
address: United Kingdom
phone: +44 113 2345100
abuse-mailbox: abuse@energis.com
admin-c: ENIT1-RIPE
tech-c: ENIT1-RIPE
nic-hdl: MADM1-RIPE
remarks: Abuse reports to abuse@energis.com please!
remarks: No actions are taken on abuse reports sent to modem team.
mnt-by: ENERGIS-MNT
source: RIPE # Filtered

% Information related to '81.78.0.0/15AS5388'

route: 81.78.0.0/15
descr: Energis UK

This was a few minutes ago while I was on here?

Nop this site is not on energis net work its pipex and its ip starts 195.*.*.* etc.

Some ISPs, like Zen have an active policy to port scan certian things with their clients and if its found that you are at risk they email you.

have you been downloading music or torrents??? Often firewalls mistake peer to peer connections as port scan attacks.

Nope don't use torrents or download music that much.

OK to answer your question "WTF is a port scan attack"

OK I am going to treat you like a muppet, you may not be, in fact because you have a firewall I know you not to be.

TCP/IP uses defined ports for services.
For a list look at your services file but will look a bit like

tcpmux 1/tcp # TCP port service multiplexer
tcpmux 1/udp # TCP port service multiplexer
rje 5/tcp # Remote Job Entry
rje 5/udp # Remote Job Entry
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
systat 11/udp users
daytime 13/tcp
daytime 13/udp
qotd 17/tcp quote
qotd 17/udp quote
msp 18/tcp # message send protocol
msp 18/udp # message send protocol
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp
ftp-data 20/udp
# 21 is registered to ftp, but also used by fsp
ftp 21/tcp
ftp 21/udp fsp fspd
ssh 22/tcp # SSH Remote Login Protocol
ssh 22/udp # SSH Remote Login Protocol
telnet 23/tcp
telnet 23/udp
# 24 - private mail system
lmtp 24/tcp # LMTP Mail Delivery
lmtp 24/udp # LMTP Mail Delivery
smtp 25/tcp mail
smtp 25/udp mail ad so on

so a port scan is simply a device out on the internet that is sequencing through the port numbers trying to find a hole through your firewalll

Assumming you might run a couple of services for a home based server, you may for instance allow ssh traffic from the net on port 22 or mail on port 25 or pop3 on port 110 etc.

The box out there is simply looking for these holes. once it finds them then they may start to try to find a hole in the application behind the port such as a buffer overflow etc.

Please note ISPs also run checks on their own networks looking for servers that do not conform to their use policy etc. So if you isp does not want you to host services he could do a port scan on every device on his network.

I run a couple of tools on my servers to look for attacks, including port scans, where I detect them I then automatically drop packets that match the offending ip address, therefore having attempted a port scan against me etc then the offending device is prevented from using ports that I have open such as maill/http.

I am please that you use a firewall and even better look at the logs. You would not believe the number of people out there living in blissfull ignorance asssuming they are safe because they have a firewall. Vigilence is the most important part of any security policy

and what to do if you are being port scanned?

Its a bit like having your front door open so people can see into your house. you can't stop them from walking by, but you can stand at the door to make sure you don't let just anybody in...

You can't stop people from trying to port-scan you, but you can make sure that if they try to connect to you that are stopped by the firewall.

and what to do if you are being port scanned?

Its a bit like having your front door open so people can see into your house. you can't stop them from walking by, but you can stand at the door to make sure you don't let just anybody in...

You can't stop people from trying to port-scan you, but you can make sure that if they try to connect to you that are stopped by the firewall.

Not a lot mate sit back and rest easy if you are sure that all your ports are closed off, by default all firewalls that ive come across have their ports closed and some also require rules to forward to various places on the LAN/DMZ?WAN so unless you specifically opened a port the attacker will have a tough job trying to get through.

If you are getting persistant attacks from certain ip address you can run a whois search on the net and send email to the ISP that hosts the IP.

Thanks folks :D

I think it means horrible little men are invading your privacy.

On no wait, you didnt ask "Whats this govt all about" did you?

:lol:

stop downloading porn then :lol: :lol: :lol:

Interesting. Coeincidentally, I'm writing a paper on IP ID header TCP scans at the moment (these are an obscure sort of port scan and you're unlikely to be being attacked by them).

I wouldn't bother complaining about it. Happens all the time anyway, it's just that at least you've got software that tells you it's happening. Most of the hacking comes from countries which we have no sway/control over anyway, so it's not like anything would be done to the person even if they were caught.

Ok, I am a linux type so this is linux specific

I have written a little listener programmer that listens on two deliberately open ports, I use 23 & 25 as on all but my mail server I do not use smtp and never ever use telnet.

If I detect connection to both of these I know there is a port scan going on and add the source to my iptables drop list that I share amongst all my servers.

Even though I am behind a hardware firewall. I run iptables on all my servers just to prevent an attack should an internet exposed server become compromised. You windoze lot ?I would strongly advise you to run software firewalls on your systems as well as your hardware firewalls.

I suppose I could hack my trap software to alert in a windoze environment. Does anyone know if the windoze xp firewall has a CLI or API interface that 3rd party systems can hook into?

My reason for doing this trap is simple. I have servers that must accept connections from the internet, but I don't want to accept connections from sources that are known to me as being dodgy.

I also use an extention of my trap software to parse http log files and where I find delibererate attack attempts, such as buffer overflow url requests I also drop these sources.