Search code examples
securitynetwork-programmingport-scanning

I got a port scan (blocked by kaspersky antivirus on my windows 10 machine)

I got a notification from my kaspersky antivirus on my windows 10 (which is always on) Apparently, there was a port scan and it was blocked.

User: NT AUTHORITY\SYSTEM
User type: System user
Component: Network Attack Blocker
Result description: Blocked
Name: Scan.Generic.PortScan.TCP
Object: TCP from 104.152.52.xxx at 192.168.0.10:1701
Additional: 192.168.0.10
Databases release date: Yesterday, 1/19/2022 12:34:00 PM
  1. 192.168.0.10 is a virtual machine running debian; I have UFW on this debian and port 1701 is not in any UFW rules. (so it's not allowed)
  2. I have done a grep on the ports of the debian VM using: sudo netstat -tulpn | grep 1701 Found nothing
  3. I assume the port scan has been done on all the machines in my network?
  4. How can I find out where the scan comes from?
  5. What are the consequences? What should I do next?
Solution

  • So from what i understand of what you published, 104.152.52.xxx made a scan. What's odd is how could he effectively reach your machine at 192.168.0.10, so i believe you have port forwarding enabled on your router. *-{see edit}

    I also assume that the IP address of your VM is bind directly to your home network 192.168.0.0\24 (and not in a sub network on Windows 10). So your router should be accessible at 192.168.0.1 (or 192.168.0.254 sometimes)

    Consequences of a scan ?

    • most likely, none, except if you have some port opens, kaspersky blocked the 1701, but probably other ports have been scanned. So verify the configuration of your router

    Is it normal ?

    • Yes. Every device accessible from internet is constantly scanned. Always.

    What to do next ?

    • Make sure no port-forwarding is enabled on your router
    • If port forwarding is enable, and needed. Make sure the software behind it is secured and up to date. if you have a password access, the password should be strong. If you have an SSH server, deactivate the authentication by password and activate the authentication by public key.

    == EDIT ==

    Other possibility than port forwarding and seems to be the answer:
    If the VM is in a DMZ, then all unassigned ports on the router may be (depends on the router) redirected to the VM, therefore, a scan on the public ip address, would result on a scan on the VM.