On Sat, Mar 09, 2002 at 05:40:10PM +0200, Juhan Kundla wrote: > So my question is: what should i do? Should i report > this to my ISP? Should i block the IP address of the scanner? (This is > probably bad idea, since we have here dynamic IP-addresses) I don't want to > overreact in any way. I am very new at this network security > administrator field.
Often the scans you see are coming from compromised systems that aren't trying too hard to be discreet in their scanning. Typically they're scanning large netblocks looking for a single thing (the rpc.statd bug, wu-ftpd, bind, etc) and it doesn't take the ISP too long to find out about it and take action. If you find that a single host looks to be scanning you on a fairly regular basis or probing several different services, then it might be in your best interest to report it. Otherwise, if you're up to date with security fixes and not running any unnecessary services, most scans are not indicitive of any appreciable threat and aren't worth worrying about. Other people have different opinions on this issue, though. As you gain experience you'll get a better idea of what is common and unintersting vs. what is unusual and worth investigating. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
pgp6QOWvEDUjJ.pgp
Description: PGP signature
