Just to add to this thread a bit, but blocking the IP where the portscan
may appear to come from isn't a guarantee you'll stop the portscans.
Popular port scanning software like nmap supports whats called 'Idle
Scanning' which bounce the scan's off 'zombie' hosts, tricking IDS's to
report the zombie machine as the culprit instead of the source host, or
fooling 'auto-blocking' scripts like the ones we're talking about into
blocking the completely wrong host.
Dan
http://five2one.org/
Todd Lyons wrote:
There's a downside to it. Suppose some legitimate server sends you data
that the monitor considers to be a scan. All of a sudden your machine
is blocking that IP. What if that IP happened ot be your DNS servers,
or your mail server? It happens. You're creating a guaranteed Denial
of Service ... against yourself.
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
