Introduction Port scanning is often the first phase of an attack. When IDS/IPS systems detect scanning activity, immediate investigation is needed to determine if this is reconnaissance or just misconfigured monitoring.

Symptoms - IDS alert: "ET SCAN Potential SSH Scan" - Firewall logs showing connection attempts to many ports - Same source IP hitting multiple services - Alert from fail2ban: "Ban <ip>" - Unusual traffic patterns in network monitoring

Common Causes - External attacker reconnaissance - Misconfigured vulnerability scanner - Internal service discovery tool - IoT device scanning network - Cloud provider health check scanning

Step-by-Step Fix 1. **Investigate the source IP': ```bash whois <source-ip> # Check if it's a known scanner curl -s https://api.abuseipdb.com/api/v2/check?ipAddress=<ip> ```

  1. 1.**Block the IP at the firewall':
  2. 2.```bash
  3. 3.iptables -A INPUT -s <source-ip> -j DROP
  4. 4.# Or cloud provider
  5. 5.aws ec2 create-network-acl-entry --network-acl-id <acl-id> \
  6. 6.--rule-number 100 --protocol -1 --cidr-block <ip>/32 --rule-action deny
  7. 7.`
  8. 8.**Check for successful intrusions':
  9. 9.```bash
  10. 10.# Check auth logs
  11. 11.grep "Accepted" /var/log/auth.log
  12. 12.# Check for new users
  13. 13.cat /etc/passwd | tail -10
  14. 14.`

Prevention - Implement port knocking for sensitive services - Use fail2ban for automatic IP blocking - Enable IDS/IPS on all network segments - Regular vulnerability scanning of own infrastructure - Network segmentation to limit lateral movement