I just have mine setup so that my open ports are web, ftp, http, pop3 & smtp on my servers. If any port besides those get scanned, the IP gets firewalled. So far, I have had 0 problems. I also keep it updated, security-patch wise. Even if I am blocking "legitimate data", I would rather be safe than sorry. My data is important to me.
Chad -----Original Message----- From: [EMAIL PROTECTED] [mailto:expert-owner@;linux-mandrake.com]On Behalf Of [EMAIL PROTECTED] Sent: Friday, November 01, 2002 2:48 PM To: [EMAIL PROTECTED] Subject: RE: [expert] portscans On Fri, 1 Nov 2002, Chad wrote: > I remember reading an article in Linux Journal or something like that that > explained how to setup snort or some other software package to automatically > detect a port scan in progress and then to automatically block any other > connection attempts by that IP address. It automatically creates a block > using iptables/ipchains so there is no hacking risk if they portscan you > first because their IP will be blocked. That is, unless they on on DHCP / > Dial-Up / or using someone else's computer as their jump-off. However, it's > better than nothing. > > Unfortunately, I forgot what the software was, but I'm sure a good google > search using some of the keywords I've mentioned will find it. This is very useful; some Linux based firewalls such as Watchguard have a similar feature. But I've noticed that the IP scanning is becoming smarter to get around these blocks. The scanner will touch a few machines, just under the lockout threshold, then try again a few hours or days later. Some blocks won't check multiple IPs so a scanner could jump between a range of IPs and not trigger the alarm with a portscan.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com