On Sat, Jun 02, 2001 at 08:51:46PM +0530, Rajkumar S. wrote: > > Now when portsentry detects a port scan it blocks the ip making the > > scan. > > Is it wise to block an ip just because it did a port scan? > What if s/he spoofs the ip and puts your ip as source address?
This is the real problem, and is a very good reason not to block IP addresses based on a portscan. Very few large scale sites do anything of the sort. It is trivial to spoof the source address of a portscan, allowing one to cause your machine to block access from your nameservers or your clients or other important sites. I recommend using ippl or the ipchains/iptables based logging facilities in place of portsentry. They don't necessitate having a service actually listening on unused ports. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgpSVupFsiKbz.pgp
Description: PGP signature
