SSH scanning
High-rate outbound connections to TCP port 22 are a common sign of automated credential scanning. I applied rate controls and added an alert for staff review. Rate limiting alone cannot prove intent, so the notification preserved room for investigation.
Outbound denial-of-service traffic
There is no single signature for every denial-of-service method. I built detection around unusually high packet rates, repeated payloads and other traffic characteristics. Suspicious events generated an alert instead of an automatic permanent block because false positives could affect legitimate high-volume workloads.
Mail and port scanning
A Proxmox Mail Gateway filtered outbound email and provided a controlled route for mail delivery. For port scanning, I looked for repeated connection attempts across incrementing destination ports and notified the operations team when that pattern appeared.
Result
The controls were intentionally layered: prevent the clearest abuse, slow down suspicious behavior and surface ambiguous cases to staff. They reduced noise and improved response time without pretending that network heuristics can classify every customer workload perfectly.