Chad wrote on Fri, Nov 01, 2002 at 01:49:41PM -0500 : > I remember reading an article in Linux Journal or something like that that > explained how to setup snort or some other software package to automatically > detect a port scan in progress and then to automatically block any other > connection attempts by that IP address. It automatically creates a block > using iptables/ipchains so there is no hacking risk if they portscan you > first because their IP will be blocked. That is, unless they on on DHCP /
There's a downside to it. Suppose some legitimate server sends you data that the monitor considers to be a scan. All of a sudden your machine is blocking that IP. What if that IP happened ot be your DNS servers, or your mail server? It happens. You're creating a guaranteed Denial of Service ... against yourself. They're great for home use, useless on a production site. Blue skies... Todd -- | MandrakeSoft USA | Security is like an onion. It's made | | http://www.mandrakesoft.com | made up of several layers and makes | | http://www.mandrakelinux.com | you cry. --Howard Chu | Cooker Version mandrake-release-9.1-0.1mdk Kernel 2.4.19-18mdk
msg60427/pgp00000.pgp
Description: PGP signature
