On Fri, 1 Nov 2002, Chad wrote: > I remember reading an article in Linux Journal or something like that that > explained how to setup snort or some other software package to automatically > detect a port scan in progress and then to automatically block any other > connection attempts by that IP address. It automatically creates a block > using iptables/ipchains so there is no hacking risk if they portscan you > first because their IP will be blocked. That is, unless they on on DHCP / > Dial-Up / or using someone else's computer as their jump-off. However, it's > better than nothing. > > Unfortunately, I forgot what the software was, but I'm sure a good google > search using some of the keywords I've mentioned will find it.
This is very useful; some Linux based firewalls such as Watchguard have a similar feature. But I've noticed that the IP scanning is becoming smarter to get around these blocks. The scanner will touch a few machines, just under the lockout threshold, then try again a few hours or days later. Some blocks won't check multiple IPs so a scanner could jump between a range of IPs and not trigger the alarm with a portscan.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com