Network Security

How to Detect and Block Port Scanning on Your Server

Name: Inner Warden
Author: Inner Warden

March 18, 20267 min read

Before an attacker exploits a vulnerability, they need to find it. Port scanning is the first step in almost every attack chain: the attacker probes your server's ports to discover which services are running, what versions they are, and where the weaknesses might be.

A port scan is not an attack in itself, but it is a reliable signal of hostile intent. Legitimate users do not connect to 50 different ports on your server in 10 seconds. Detecting and blocking port scans stops attackers at the reconnaissance phase, before they find anything to exploit.

What is port scanning?

A port scan sends connection requests to a range of ports on your server and observes the responses. An open port means a service is listening. A closed port returns a reset. A filtered port gives no response at all. Tools like nmap, masscan, and zmap automate this at high speed.

Common scan types include SYN scans (half-open connections), connect scans (full TCP handshake), UDP scans, and service version probes. Each leaves a different fingerprint in your firewall and connection logs.

Why attackers scan your ports

Service discovery - find SSH, HTTP, databases, admin panels, and other services that might be exploitable.
Version fingerprinting - identify specific software versions with known vulnerabilities (CVEs).
Attack surface mapping - the more open ports, the more potential entry points.
Automated pipelines - botnets scan millions of IPs per day. When they find an open port with a vulnerable service, the exploit runs automatically.

Check if you are being scanned right now

If your server uses ufw or iptables with logging enabled, you can see blocked connection attempts:

grep "BLOCK" /var/log/syslog | tail -20

If you see the same source IP hitting many different destination ports in a short period, that is a port scan. On most public servers, this happens multiple times per hour.

How Inner Warden detects port scans

Inner Warden's sensor includes a port_scan detector that reads firewall logs in real time. It tracks unique destination ports per source IP using a sliding time window.

Detection methodUnique ports per IP in sliding window

Threshold15+ unique ports from same IP

Window60 seconds

ResponseFirewall deny + AbuseIPDB report

The sliding window is key. A single connection to an unusual port is ignored. Fifteen different ports in under a minute is unmistakable reconnaissance. The threshold and window are configurable in your config file.

Real example from production

The IP 198.51.100.33 ran a SYN scan against our production server. Inner Warden caught it in under 8 seconds:

detect42 unique ports probed from 198.51.100.33 in 7 seconds

enrichAbuseIPDB confidence: 96% | GeoIP: Hetzner, DE

decideAI confidence 0.97 | recommend block-ip-ufw

blockFirewall deny rule added | Telegram alert sent | AbuseIPDB report filed

Set it up

Port scan detection requires firewall logging to be enabled. If you use ufw, logging is on by default. Install Inner Warden and enable IP blocking:

Install

curl -fsSL https://innerwarden.com/install | sudo bash

Enable blocking

innerwarden enable block-ip

The port_scan detector is enabled by default when firewall log sources are available. Verify with:

Verify

innerwarden status

What to do next

Detect web scanners - port scans often precede web vulnerability scans. Catch both.
Threat intelligence sharing - report port scanners to AbuseIPDB so other servers block them preemptively.
Suricata automated response - add network-level IDS for deeper packet inspection beyond port-level detection.