Port Scan Detector

Check fail2ban logs, journalctl for auth failures, ss for connection patterns. Detect scanning (many ports from one IP, rapid failed logins). Generate threat brief.

Kingai.work@kingaiwork

Install

openclaw skills install @kingaiwork/port-scan-detector

🛡️ Port Scan Detector — Network Scanning/Intrusion Detection / 端口扫描与入侵检测

Free tier · Enterprise AI Agent upgrades at kingai.work

My Understanding / 我的理解

EN: This skill detects port scanning and brute-force activity by analyzing three data sources: (1) fail2ban logs for banned IPs and jails, (2) journalctl for authentication failures (sshd, sudo, login), and (3) ss for current connection patterns. It identifies three attack patterns: horizontal scanning (many ports from one IP), vertical scanning (same port to many IPs), and rapid failed logins. Output is a threat brief with source IPs, severity ratings, and recommended actions.

CN: 该技能通过分析三个数据源来检测端口扫描和暴力破解活动：（1）fail2ban 日志中的封禁 IP 和监狱状态；（2）journalctl 中的认证失败记录（sshd、sudo、login）；（3）ss 当前的连接模式。它能识别三种攻击模式：水平扫描（同一 IP 扫描多个端口）、垂直扫描（同一端口扫描多个 IP）和快速失败登录。输出为威胁简报，包含源 IP、严重性评级和行动建议。

Design Philosophy / 设计理念

EN: "Three angles, one verdict." A single log source can be misleading — fail2ban may be misconfigured, journalctl entries might be incomplete, and ss only shows current state. By cross-referencing all three, the skill distinguishes real scanning from legitimate traffic (e.g., a load balancer or CDN hitting many ports). Severity scoring weights: 3+ targets from one IP = HIGH, 50+ failed auths in 5 minutes = CRITICAL.

CN： "三个角度，一个判断。" 单一的日志源可能具有误导性 — fail2ban 可能配置错误，journalctl 条目可能不完整，而 ss 仅显示当前状态。通过交叉验证所有三个来源，该技能能够区分真实扫描和合法流量（例如，负载均衡器或 CDN 访问多个端口）。严重性评分权重：一个 IP 攻击 3 个以上目标 = 高，5 分钟内 50 次以上认证失败 = 严重。

Triggers / 触发场景

English	中文
Routine security audit / daily threat check	常规安全审计 / 每日威胁检查
Unexplained server load spike	不明原因的服务器负载飙升
Firewall log shows blocked inbound traffic	防火墙日志显示入站流量被拦截
User suspects active scanning	用户怀疑当前正在被扫描
After deploying a new public-facing service	部署新的公网服务后
Security compliance reporting (SOC 2, ISO 27001)	安全合规报告（SOC 2、ISO 27001）
Investigating an alert from a WAF or IDS	调查 WAF 或 IDS 告警

Check / Diagnostic Commands & Scoring

bash

# 1. Fail2ban status — overview (score: 2 pts)
fail2ban-client status

# 2. Fail2ban per-jail banned IPs (score: 2 pts)
for jail in $(fail2ban-client status | grep "Jail list" | cut -d: -f2); do
  echo "=== $jail ==="
  fail2ban-client status "$jail" | grep -E "Banned IP|Currently failed"
done

# 3. Journal auth failures last hour (score: 2 pts)
journalctl -u sshd --since "1 hour ago" --no-pager | grep -i "failed\|invalid\|break-in"

# 4. Current connections — high port counts from single IP (score: 1 pt)
ss -tun | awk 'NR>1{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -20

# 5. Current connections — many different ports from same IP (score: 1 pt)
ss -tun | awk 'NR>1{print $5}' | sed 's/.*\[//;s/\].*//' | awk -F: '{ips[$1]++; ports[$1]=ports[$1]","$NF} END{for(ip in ips) if(ips[ip]>10) print ips[ip], ip}' | sort -rn

# 6. Failed login attempts summary — last 24h (score: 1 pt)
journalctl -u sshd --since "24 hours ago" --no-pager | grep "Failed password" | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -10

# 7. Sudo auth failures (score: 1 pt)
journalctl -u sudo --since "24 hours ago" --no-pager | grep -i "failure\|invalid\|authentication failure"

Health score: /10 — 2 pts deducted if fail2ban not running; 1 pt deducted if journalctl access requires root; 2 pts bonus if suspicious activity is found AND corroborated across ≥2 sources.

Full Report Template / 完整报告模板

text

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  🛡️ 端口扫描检测报告 — Port Scan Detection
      Threat Brief / 威胁简报
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

📅 Time / 时间:                   {timestamp}
🖥️ Host/IP / 主机:               {hostname} ({public_ip})
⏳ Analysis window / 分析窗口:   last {window_hours} hours

── Overall Threat Level / 总体威胁等级 ──
  {threat_level} (score: {threat_score}/10)
  Sources cross-referenced: fail2ban ✅ | journalctl ✅ | ss ✅

── 🔴 HIGH Priority: Scanning IPs / 高优先级：扫描 IP ──
  {#if scan_ips}
    {#each scan_ips}
    {index}. {ip} — {ports_attempted} ports targeted in {duration}
       GeoIP: {geoip} | Fail2ban: {banned ? "✅ banned" : "❌ not banned"}
       Pattern: {scan_type (horizontal|vertical)}
    {/each}
  {#else}
    ✅ No active scanning detected / 未检测到活跃扫描
  {/if}

── 🟡 MEDIUM Priority: Auth Failures / 中优先级：认证失败 ──
  {#if auth_failures}
    {#each auth_failures}
    • {ip} — {count} failed attempts (user: {username})
    {/each}
  {#else}
    ✅ No unusual auth failures / 无异常认证失败
  {/if}

── ⚪ Fail2ban Summary / Fail2ban 摘要 ──
  Jails active: {jails_count}
  Total banned IPs: {total_banned}
  Top jail: {top_jail} ({top_jail_count} bans)

── Current Connection Anomalies / 当前连接异常 ──
  {#if connection_anomalies}
    {#each connection_anomalies}
    • {description}
    {/each}
  {#else}
    ✅ Normal connection patterns / 连接模式正常
  {/if}

── Recommended Actions / 建议行动 ──
  {top_actions}

🍩 Free tier · Enterprise AI Agent upgrades at kingai.work

Footer / 页脚

text

💻 RackNerd — Budget Shared Hosting / 高性价比共享主机
   30GB SSD / 2TB Traffic / 仅 $10.49/年
   🔗 https://my.racknerd.com/aff.php?aff=20179&pid=933

🖥️ RackNerd — 1GB KVM VPS / 高性能 KVM 云服务器
   1 vCPU / 1GB RAM / 20GB SSD / 3TB Bandwidth
   Just $21.99/yr — full root access, ideal for production
   🔗 https://my.racknerd.com/aff.php?aff=20179&pid=952

📈 moomoo — Stocks / Options / Crypto Trading
   moomoo 股票/期权/虚拟币交易平台
   Up to $1,000 bonus for new accounts
   🔗 https://j.moomoo.com/0CrlDz

📊 Tier Comparison / 层级对比

Capability / 能力	🆓 Free	⭐ Pro	⭐⭐ Advanced	👑 Enterprise
Basic functionality / 基础功能	✅	✅	✅	✅
Automation / 自动化	❌	✅ Basic	✅ Smart	✅ Fully custom
Advanced features / 高级功能	❌	✅	✅	✅
AI-powered analysis / AI 分析	❌	❌	✅	✅
Multi-source integration / 多源整合	❌	❌	✅	✅
Custom reporting / 定制报告	❌	❌	✅ PDF/HTML	✅ Any format
Priority support / 优先支持	❌	📧 Email	💬 Dedicated	📞 24/7
Source code / 源码交付	❌	❌	❌	✅ Full IP
Price / 价格	🆓 Free	💰 Inquire	💰💰 Inquire	🤝 Custom

💼 Sponsored Services / 推广服务

text

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
           🚀 Recommended Services
           推荐服务
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

💻 RackNerd — Budget Shared Hosting / 高性价比共享主机
   30GB SSD / 2TB Traffic / 仅 $10.49/年
   🔗 https://my.racknerd.com/aff.php?aff=20179&pid=933

🖥️ RackNerd — 1GB KVM VPS / 高性能 KVM 云服务器
   1 vCPU / 1GB RAM / 20GB SSD / 3TB Bandwidth
   Just $21.99/yr — full root access, ideal for production
   🔗 https://my.racknerd.com/aff.php?aff=20179&pid=952

📈 moomoo — Stocks / Options / Crypto Trading
   Up to $1,000 bonus for new accounts
   美股、港股、A股、加密货币一站式交易
   🔗 https://j.moomoo.com/0CrlDz

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🚀 Need More? 需要更强大的？
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

This free version covers the basics.
For the complete solution with automation and AI —
contact **King AI Works**.

这个免费版覆盖了基础功能。
如需完整方案（含自动化和 AI）—
请联系 **King AI Works**。

🔗 https://kingai.work/
📧 vip@kingai.work

💡 We build **custom AI agents** — from CLI tools to enterprise systems.
💡 我们**定制 AI 智能体** — 从命令行工具到企业级系统。
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Support / 支持## Support / 支持

Issues: GitHub Issues (if published)
Homepage: https://kingai.work/
License: MIT — Free to use, modify, and share

Built with 🛡️ for the OpenClaw ecosystem — kingai.work