Hi, On Mon, Jan 4, 2016 at 9:53 PM, Perry E. Metzger <pe...@piermont.com> wrote: > On Mon, 4 Jan 2016 20:56:41 -0500 Alex <mysqlstud...@gmail.com> wrote: >> That IP doesn't exist. I can't think of any reason a legitimate >> attempt would be made to communicate with that address, > > Lots of research and legitimate security projects use zmap to probe > the whole net. There are loads of legitimate reasons for scanning the > net, such as assessing what fraction of machines are running which > operating systems or software, or to learn about populations of > certain kinds of certificates. There are very important outputs from > such research that help everyone -- for example, decisions on > whether browsers can obsolete SHA-1 based certificates depend > critically on doing surveys of how many such certs are out in the > field, and decisions on whether support for old software can be > deprecated depends crucially on population surveys. > > It is best to distinguish between malicious scans and > legitimate ones. A malicious scanner inevitably follows up with > attempts to brute force things and one wants to ban *then*. Mere > scanning is often quite legitimate activity. Generally I try to ban > only activity that is actually clearly malicious, like brute forcing > ssh passwords or trying to send spam.
I agree with what you've said from the perspective of a security professional and a "good Internet neighbor". However, we have a default-deny policy on our firewall. I just can't leave ports/hosts open for remote users to probe and investigate as they wish for non-existent hosts. Thanks, Alex > > Perry > -- > Perry E. Metzger pe...@piermont.com ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
