a very strict block scan script, ref: https://github.com/EtherDream/anti-portscan/tree/master

block-port-scan.sh

#!/usr/bin/env bash

PORT_SCAN_MAX=1
IP_DENY_SECOND=300
IP_SET_MAX=1024000
NET_IF=eth0

ipset create pub-port-set bitmap:port range 0-65535

ipset add pub-port-set 22
ipset add pub-port-set 80
ipset add pub-port-set 443


ipset create scanner-ip-set hash:ip \
  timeout $IP_DENY_SECOND \
  maxelem $IP_SET_MAX \
  counters

iptables \
  -N trap-scan

iptables \
  -A trap-scan \
  -m set --match-set scanner-ip-set src \
  -j DROP

iptables \
  -A trap-scan \
  -j SET \
  --add-set scanner-ip-set src

iptables \
  -A trap-scan \
  -j DROP



iptables \
  -i $NET_IF \
  -A INPUT \
  -p tcp --syn \
  -m set ! --match-set pub-port-set dst \
  -j trap-scan

# DROP connection when it attempts more than setting times
#  -p tcp --syn \
iptables \
  -i $NET_IF \
  -A INPUT \
  -m set ! --update-counters \
  --match-set scanner-ip-set src \
  --packets-gt $PORT_SCAN_MAX \
  -j DROP


# will not response to unknown port for those scaning not using sync
iptables \
  -i $NET_IF \
  -A INPUT \
  -p tcp ! --syn \
  -m conntrack ! --ctstate ESTABLISHED,RELATED \
  -j DROP

# keep existing connection
iptables \
  -i $NET_IF \
  -I INPUT \
  -m conntrack --ctstate ESTABLISHED,RELATED \
  -j ACCEPT