patrick@ianai.net (Patrick W. Gilmore) wrote:
I'm going to repeat what Sean said, because you clearly didn't read what he said:
You're trying to be harsh, even though I don't understand why. I read what you just rephrased, and I understood it fully, believe me. Let me explain my lines of thought here. I am fully aware of people scanning the full range of ports, but then, it's a _WHOLE LOT_ less full-port-range scans than full-address-range scans. You will see that in your logs, too. If the guys have found an interesting machine, they will scan all ports, sure, but then you _WANT TO DEAL_ with these guys. Whether it is because they are interested in you, or whether it is because they found a box worth cracking. That of course leaves aside the few guys who really try full-port-range scans on a lot of boxes or, accidentally, the ones I look over. I may be wrong in assuming they are taking interest, but I take interest in them and do something. It still is a lot less incidents to focus on. Saving unnecessary work is all that this is about, not whether or not I believe something (this being safer than that, that guy having a specific interest in this, whatever). Actually, I really don't care about people scanning closed or blocked ports. Except for a few potential target addresses, that is. But of course I am not doing this by reading server logfiles and wading through folks trying dictionary attacks on just-found-to-exist ssh ports. That's what firewall and ID systems are good at. Most of the time I get interested when "they" get interested, or when there's someone coming up, doing something more elaborate than running one of the easy scripts. Apart from that, I am simply not interested, because I have other work to do. And if I get rid of "dummy alerts" by changing the port for a "generic login" service, so be it. It's a tool to save work. You don't have to use it. Elmar.