On Mon, 4 Jan 2016 20:56:41 -0500 Alex <mysqlstud...@gmail.com> wrote: > That IP doesn't exist. I can't think of any reason a legitimate > attempt would be made to communicate with that address,
Lots of research and legitimate security projects use zmap to probe the whole net. There are loads of legitimate reasons for scanning the net, such as assessing what fraction of machines are running which operating systems or software, or to learn about populations of certain kinds of certificates. There are very important outputs from such research that help everyone -- for example, decisions on whether browsers can obsolete SHA-1 based certificates depend critically on doing surveys of how many such certs are out in the field, and decisions on whether support for old software can be deprecated depends crucially on population surveys. It is best to distinguish between malicious scans and legitimate ones. A malicious scanner inevitably follows up with attempts to brute force things and one wants to ban *then*. Mere scanning is often quite legitimate activity. Generally I try to ban only activity that is actually clearly malicious, like brute forcing ssh passwords or trying to send spam. Perry -- Perry E. Metzger pe...@piermont.com ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
