From: "Rajkumar S." <voidmain@myrealbox.com> To: Roderick Cummings <debian_user@hotmail.com> CC: debian <debian-user@lists.debian.org> Subject: Re: Port Sentry Date: Sat, 2 Jun 2001 20:51:46 +0530 (IST) On Sat, 2 Jun 2001, Roderick Cummings wrote: > Now when portsentry detects a port scan it blocks the ip making the > scan. I am not an expert in security, but some doubts. Is it wise to block an ip just because it did a port scan? What if s/he spoofs the ip and puts your ip as source address? raj
A rule in my input chain will drop any incomming packet claiming to be from the localhost. (the routers to other networks will drop any incomming packets claiming to be from my network as well).
Blocking the ip's might be a problem if say, someone takes control of one of the servers at my customers site, but then the application would die and be noticed. Although that would be a serious DOS attack, I'd much rather know there is a problem and discover the system in the customer's network was hacked, than continue to talk to it and process data from it. Unfortuneatly the customers do have legitimate reasons to access the systems in my network (several of which they actually own).
_________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com