Port Scanner
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
A port scanner probes a target host or network to discover which TCP/UDP ports are open, filtered, or closed, mapping the attack surface before exploitation. Attackers use port scanning as a reconnaissance step to identify running services and potential entry points. While legitimate administrators use scanners for auditing, unsolicited scans are a strong indicator of hostile intent.
🔍Indicators
- Sequential or random probes to many ports from a single source IP in a short window
- High volume of TCP SYN packets without corresponding ACK completions (SYN scan / half-open)
- ICMP echo requests or UDP datagrams sent to a wide range of ports
- Rapid connections to well-known service ports (22, 80, 443, 3389) in burst patterns
- Source IP appearing in threat-intelligence blocklists (Shodan, Censys crawlers or malicious actors)
🛡Detection Methods
Firewall / iptables rate-limit detection
# Log and drop sources sending more than 20 new connections per second
iptables -A INPUT -p tcp --syn -m limit --limit 20/s --limit-burst 50 -j ACCEPT
iptables -A INPUT -p tcp --syn -j LOG --log-prefix "PORT_SCAN: "
iptables -A INPUT -p tcp --syn -j DROP
tcpdump capture
# Capture SYN-only packets (half-open scan signature)
tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack == 0'
Snort / Suricata rule
alert tcp any any -> $HOME_NET any \
(msg:"SCAN nmap SYN sweep"; flags:S; threshold:type threshold, track by_src, count 20, seconds 2; sid:1000001;)
Fail2ban jail (SSH scan detection)
[portscan]
enabled = true
filter = portscan
logpath = /var/log/syslog
maxretry = 5
findtime = 60
bantime = 3600
Log pattern to watch
PORT_SCAN: IN=eth0 SRC=203.0.113.42 DST=10.0.0.1 PROTO=TCP DPT=22 SYN
PORT_SCAN: IN=eth0 SRC=203.0.113.42 DST=10.0.0.1 PROTO=TCP DPT=23 SYN
PORT_SCAN: IN=eth0 SRC=203.0.113.42 DST=10.0.0.1 PROTO=TCP DPT=80 SYN
✅Mitigation
- Deploy a stateful firewall — Drop unsolicited inbound packets to ports that are not in active use; default-deny is the gold standard.
- Rate-limit new connections — Use
iptables --limitornftablesrate rules to throttle new TCP SYN packets per source IP. - Enable port-knocking or single-packet authorisation (SPA) — Hide administrative ports (SSH, RDP) entirely until a secret knock sequence is received.
- Integrate threat-intelligence feeds — Block known scanner IP ranges (Shodan, Censys, malicious ASNs) via an automated blocklist updated daily.
- Install an IDS/IPS — Snort or Suricata with scan-detection rulesets will alert on sweep patterns in real time.
- Audit open ports regularly — Run
nmap -sV localhostorss -tlnpfrom inside to ensure only intended ports are exposed. - Log and alert — Forward firewall logs to a SIEM; alert when any single IP contacts more than 10 distinct ports within 60 seconds.
📋Real-World Examples
2010 — Stuxnet reconnaissance phase: Before Stuxnet's payload was delivered to Iranian nuclear facilities, infected workstations performed internal network scans to locate Siemens Step 7 SCADA systems on non-standard ports. The scanning was specifically designed to stay below IDS thresholds.
2016 — Mirai botnet pre-infection scanning: The Mirai malware conducted mass internet-wide TCP SYN scans on port 23 (Telnet) and port 2323 to discover IoT devices with default credentials. Within 20 minutes of a device joining a compromised network, Mirai scanners would locate it and attempt infection.