I have a filter ready to do this, I have been using it for a couple of years now. It requires the SNORT ids configured on the system, using syslog output. Works like a charm.
On Tue, Jan 5, 2016 at 11:09 AM, Alex <[email protected]> wrote: > Hi, > > On Mon, Jan 4, 2016 at 9:53 PM, Perry E. Metzger <[email protected]> > wrote: > > On Mon, 4 Jan 2016 20:56:41 -0500 Alex <[email protected]> wrote: > >> That IP doesn't exist. I can't think of any reason a legitimate > >> attempt would be made to communicate with that address, > > > > Lots of research and legitimate security projects use zmap to probe > > the whole net. There are loads of legitimate reasons for scanning the > > net, such as assessing what fraction of machines are running which > > operating systems or software, or to learn about populations of > > certain kinds of certificates. There are very important outputs from > > such research that help everyone -- for example, decisions on > > whether browsers can obsolete SHA-1 based certificates depend > > critically on doing surveys of how many such certs are out in the > > field, and decisions on whether support for old software can be > > deprecated depends crucially on population surveys. > > > > It is best to distinguish between malicious scans and > > legitimate ones. A malicious scanner inevitably follows up with > > attempts to brute force things and one wants to ban *then*. Mere > > scanning is often quite legitimate activity. Generally I try to ban > > only activity that is actually clearly malicious, like brute forcing > > ssh passwords or trying to send spam. > > I agree with what you've said from the perspective of a security > professional and a "good Internet neighbor". However, we have a > default-deny policy on our firewall. I just can't leave ports/hosts > open for remote users to probe and investigate as they wish for > non-existent hosts. > > Thanks, > Alex > > > > > > Perry > > -- > > Perry E. Metzger [email protected] > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
