On Thu, Nov 08, 2001 at 12:37:53PM -0700, Karel Jennings wrote: > Hello, I was recently working on a remote server, playing with mysql. > Anyway. I wanted to see what ports were open, and nmaped the box.:) They > machine had portsentry running, and it dropped my connection *AND* put my ip > in the hosts.deny. Isn't this a little bit harsh? Or is it good practise? My > IDS at home bans for a couple days, but not infintely. that got me > thinking.. what is the better practise? >
I suppose it's better practice to ban IP addresses for a week, and then remove them from the blacklist. Most of the time, the script kiddies who do portscans on random boxes work from dynamic IP's in ISP dialup pools or from DHCP leases by cable Internet/xDSL providers, so it does no good to ban them forever. Every time someone gets banned by portsentry in this way it is best to make the ban temporary, and to do investigations on why the portscans occur. If it comes from your upstream provider get them to look into it as that probably means a rogue subscriber who is in blatant violation of their terms of service or a compromised account which they should investigate immediately. -- Rafael R. Sevilla <[EMAIL PROTECTED]> +63(2) 8177746 ext. 8311 Programmer, Inter.Net Philippines +63(917) 4458925 http://dido.engr.internet.org.ph/ OpenPGP Key ID: 0x5CDA17D8
