| Home Prev |  cOS Core 15.00.01 Administration Guide
|
Next |
|---|
The term Scanners refers to software on external hosts that performs reconnaissance activity which can include probes, domain scans and password brute force attempts. cOS Core provides the ability to recognize the IPs or networks known for such activity, drop the connection and blacklist the associated IPs so future connection attempts are dropped as well.
Scanner protection is set up with the following steps:
Enable the single Scanner Protection object which is predefined in the cOS Core configuration.
Specify the interface or interfaces that are to be protected.
When enabled, the scanner protection subsystem functions as follows:
When a connection is initiated on any of the listed interfaces, the source IP is looked up in the blacklist. If it is blacklisted, the connection is dropped.
If not blacklisted, the source IP is looked up in the IP reputation database. If the IP is categorized as being a scanner IP and has a reputation score of 10 or less, the connection is silently dropped and the IP is added to the blacklist so that any future connections from that IP will be dropped.
The IP reputation lookup mechanism is discussed further in Section 7.2, IP Reputation.
Generated Log Messages
Like similar threat prevention objects, the Scanner Protection object only generates a log event message when it triggers and an IP is added to the blacklist. A typical message will have the following form:BLACKLIST prio=2 id=04600006 rev=4 event=host_blacklisted reason="Scanner Protection" proto=all srcnet=203.0.113.5 dstnet=0.0.0.0/0 port=all
Example 7.5. Enabling Scanner Protection
This example enables scanner protection on the WAN interface.
Command-Line Interface
Device:/> set ScannerProtection EnableScannerBlacklist=Yes
Interfaces=WANInControl
Follow similar steps to those used for the Web Interface below.
Web Interface
