The internet is huge. If one, 100 or 10 thousand hosts want to proactively block scanners, it will not harm statistics.
On Mon, Jan 4, 2016 at 11:53 PM, Perry E. Metzger <pe...@piermont.com> wrote: > On Mon, 4 Jan 2016 20:56:41 -0500 Alex <mysqlstud...@gmail.com> wrote: > > That IP doesn't exist. I can't think of any reason a legitimate > > attempt would be made to communicate with that address, > > Lots of research and legitimate security projects use zmap to probe > the whole net. There are loads of legitimate reasons for scanning the > net, such as assessing what fraction of machines are running which > operating systems or software, or to learn about populations of > certain kinds of certificates. There are very important outputs from > such research that help everyone -- for example, decisions on > whether browsers can obsolete SHA-1 based certificates depend > critically on doing surveys of how many such certs are out in the > field, and decisions on whether support for old software can be > deprecated depends crucially on population surveys. > > It is best to distinguish between malicious scans and > legitimate ones. A malicious scanner inevitably follows up with > attempts to brute force things and one wants to ban *then*. Mere > scanning is often quite legitimate activity. Generally I try to ban > only activity that is actually clearly malicious, like brute forcing > ssh passwords or trying to send spam. > > Perry > -- > Perry E. Metzger pe...@piermont.com > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
