Port Scan firewall block for repeated scan of port 3702

swbrains

• December 10, 2019 14:47

I have one customer who keeps getting blocked for port scanning [PS_LIMIT]. In /var/log/messages, I see repeated scans (a bunch within a few seconds) from their device on my server port 3702 (via TCP). I have unblocked them several times but they keep getting temp blocked and it eventually converts to a perm block and must be manually removed. I have no idea if their device has malware on it or if scanning of port 3702 is valid in some circumstance. I read that it's used by Windows for local network discovery, but I wouldn't think that would be directed at my web server. The customer has been with us for a while and this just started recently. I haven't made any changes to my server other than the normal automatic updates that occur occasionally. My CSF Firewall settings for Port Scanning are: PS_INTERVAL = 60 PS_LIMIT = 20 PS_PORTS=0:65535,ICMP Has anyone seen this type of issue before, or have any knowledge about why a client device might scan port 3702 on the server repeatedly? Thanks!

• 

  cPanelLauren

  • December 10, 2019 22:59

  Hello, For issues like this a qualified system administrator would be the best route. If you do not have a system administrator, you may be able to find assistance at System Administration Services.

  0
• 

  keat63

  • December 23, 2019 14:19

  Maybe a bit late but would this work PS_PORTS=0:3701,3703:65535,ICMP I guess it would leave 3702 open to abuse though. Alternatively, you could add the client IP to CSF's allow list, but again, if they have malware, it would leave you wide open again. The real answer is to have them scan thier PC's and try to source the culprit, but I know how difficult this would be from your end.

  0

Please sign in to leave a comment.