Should I worry about port scannings?

[wnvyne]

Hi,

I have openvpn server and mostly I am connected to internet through vpn.I am using it with UDP protocol(rarely TCP) also I sometimes change my UDP port for security. 2-3 weeks ago and last night(184.164.153.218), total, 3 different IP's scanned my UDP ports.After the first scan I started to monitor my router's logs. But I am confused because I saw port scans that they were trying to scan my real IP's port(which is closed I think)(between 26-50x times, don't know exact scan attempt)

How they could know my real IP and UDP protocol? Is it bad thing to happen or this is what they call "internet noise" and don't need to do anything? or there can be leak with my openvpn server setup?(I closed all incoming ports via ip tables and only allowed access from my IP to server)

[sc302 Veteran]

Bots scan all the time. It isn't just you it is everyone on the Internet. Welcome to the beginning of learning what goes on with being jacked in. This is just standard Internet noise as you put it.

[+BudMan MVC]

"3 different IP's scanned my UDP ports."

So you saw some UDP traffic, or they scanned 1 to 65535?

Or a HUGE range? There is a lot of NOISE on the public net, there is a bunch of udp stuff - I don't even bother to log udp stuff anymore, just fills up the logs ;)

[wnvyne]

Thank you for answers. I don't have to worry about then.

I saw some UDP traffic and all 3 ips scanned from some port range to range 5210-5230 for example and they aren't even my UDP port.

I noticed that my vpn server also has ipv6 and disabled it. Also I am thinking of installing pfsense firewall to my home as I don't trust my current router's firewall if it behaves well or not.

[+BudMan MVC]

"they aren't even my UDP port."

Not sure what that is suppose to mean? As stated its noise.

"from some port range to range 5210-5230"

Not sure what that is suppose to mean either, yes the traffic you see would have a source port, this might change or it might be different every time depending on how the traffic is being generated.

As to your routers firewall - so you think your router is letting in traffic you have not forwarded? Behaves well as far as what?

I personally use pfsense, and yes its a great choice for your gateway/firewall solution in home or even large enterprise. But unless your trying to do something your current router does not allow you to do, other than learning there is prob little reason to change.

[wnvyne]

I am sorry, I wasn't clear enough.

"they aren't even my UDP port."

I tried to say that for example, 10.11.12.13:5410 scanned my UDP ports from myip:5210 to myip:5230 ports(5211,5212,5213,5214.......5228,5229,5230) And my UDP port was 2271.

My router brand is zyxel. Today I called their support to ask if a configuration from router is needed or not, to block these scannings, and they said that my router's firewall blocks all unauthorised connections by default and no need to change anything. But for extra security I'll setup pfsense firewall after some research.

[+BudMan MVC]

Well if they had hit a port that you were forwarding, then most likely it wouldn't even be logged. Your router is just logging noise, ie stuff it blocked. Yes pfsense does the same thing. Unless you turn it off, all blocks will be logged.

I created a specific rule at the bottom of my list to block UDP before it gets to the default rule, just so it is not logged.. It fills up the logs all the noise.. I would be more curious to what tcp ports they are trying to hit vs UDP noise, which is most likely p2p traffic stuff.

So I am curious on your pfsense setup, did you put it behind your current router? If so your double natting? Or did you remove your other router, or put it into bridge mode so pfsense gets a public on its wan?

[wnvyne]

Hi

I haven't setup pfsense firewall yet. I am currently searching information about pfsense installation and configuration. I am thinking of buying a mini ITX pc that has two ethernet ports.(found one with reasonable price on internet)

If everything goes alright my configuration will be like this:

My current router >> pfsense firewall >> switch >> wireless router or directly to computer or both

[+BudMan MVC]

So your current router is actually a gateway? it has a modem in it? Your going to put it in bridge mode?

If not what is the point of that in the path?

And when you say wireless router, you mean wireless router used as Acesspoint?

[wnvyne]

If I understand it correct, zyxel's mode is currently Routing and also has bridge mode.(I am adsl user and only with Routing mode I can login to my isp)

"And when you say wireless router, you mean wireless router used as Acesspoint?"

Actually I didn't think about acesspoint.

I don't know if wireless router work as acesspoint or not, so there is no need to take the risk and confusing setup process. Acesspoint will be better for me, right? (ZYXEL WAP3205, LINKSYS WAP610N or something like like these devices?)