-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jon Lewis wrote:
If port scans really bother you, then you should setup a system to detect them, and regularly rebuild ACLs/null route lists/etc. to stop them in near real time. AFAIK, Cisco sells such a product, as do other network vendors I'm sure.
It is pretty easy to do this with pf running on OpenBSD (et al). You can even set a timeout so that additions to a banned list get removed after x {hours,days,weeks} table evil persist {0.0.0.0} block in log quick from <evil> to any label "evil" pass in quick proto {tcp,udp} from any to any port 1024:65000 \ synproxy state \ (max-src-conn-rate 5/15, overload <evil> flush global) Pick a port range and/or ip address range combo that you don't have anything running on for the rule, then as scans take place the offending IP will be added to the evil table and blocked. OK, there are some additional details for expiring the evil IPs, and of course your own network details. But this has worked quite well for me, and I love checking the evil table from time to time to see who's been naughty. My best guess is other firewalls can do something similar. ... alec - -- `____________ / Alec Berry \______________________________ | Senior Partner and Director of Technology \ | PGP/GPG key 0xE8E9030F | | http://alec.restontech.com/#PGP | |-------------------------------------------| | RestonTech, Ltd. | | http://www.restontech.com/ | | Phone: (703) 234-2914 | \___________________________________________/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJt+1tREO1P+jpAw8RAhkXAKDlZK1gv00oxswqjkRu6TmG7JkoGACfcdSX S0mIegpuf++j+yMTjoNHLOI= =nIb7 -----END PGP SIGNATURE-----