Problem solve Get help with specific problems with your technologies, process and projects.

How to block port scan attempts on a public wireless network

Network security expert Anand Sastry explains how to block port scan attempts on a public wireless network at the host level.

I work in a large library and we have two separate networks, one for public access and another that serves as our private internal network. A week or so ago, someone on my public access network ran a port scan that ideally would not be authorized. What would be the best way to prevent public users from initiating a scan on a public computer or notebook connected to the public wireless interface?

Given the very nature of the public wireless network, it is tricky to proactively deal with port scanning attempts.

We can attempt to deal with this at the network level, but having both the system we need to protect and the unauthorized scanning system on the same VLAN makes it difficult to identify a choke point or a tap to deploy proactive network-based detective/preventive capabilities, like a network-based intrusion prevention system (IPS).

Ideally you would want to deal with this at a host level. To clarify, the host here is the system you are trying to protect. Depending on the OS type, there are a few host-based products available that can block port scan attempts. In the Windows world, there are some mature offerings from antivirus companies that feature both a built-in firewall and an IPS. In the Unix/Linux world, an interesting utility to look at is Port Scan Attack Detector (PSAD), which leverages iptable logs and tracks port-scanning attempts. It has the capability to block the source initiating the scan due to its close integration with iptables. Read Eckie Silapaswang's article, which goes over an active blocking deployment scenario with PSAD.

This was last published in June 2010

Dig Deeper on Wireless network security