Nmap Announce mailing list archives
Re: can/should
From: "Eric Hancock" <eric () bitpuddle com>
Date: Wed, 24 May 2000 10:58:40 -0400
As a new firewall admin I have a question for the white hats. I log port scans and do a whois to locate the ISP that owns the ip address. My questions is what else can/should be done. I have no other reason to believe they got through or committed any crime. What else are you guys doing? I hope this is not to far off topic.
For most servers, I log the scan and drop the originating IP address into hosts.deny (or equivalent). If I see repeated scans, or particularly malicious ones, I'll send a note to that domain's administrators. Any more than that might piss someone off enough to really try to break in, or DOS me, or whatever. For web servers and public FTP sites (where I wouldn't necessarily want to block hosts wholesale) I'll log suspicious activity and investigate. Typically, though, the webservers are only serving pages, so they can be put in a DMZ and sufficiently hardened. E -
Current thread:
- can/should Barry Hudson (May 23)
- Re: can/should Mr. Man (May 24)
- Re: can/should Security (May 24)
- Re: can/should Thomas Reinke (May 24)
- Re: can/should Ola Nyström (May 25)
- Re: can/should Jose Nazario (May 24)
- Re: can/should Eric Hancock (May 24)
- Re: can/should Bennett Todd (May 24)
- <Possible follow-ups>
- RE: can/should Gallicchio, Florindo (2282) (May 24)
- RE: can/should Dion Stempfley (May 24)
- RE: can/should Sean Ellis (May 24)
- RE: can/should Crye, Michael (May 24)
- RE: can/should Jonathan Day (May 25)
- Re: can/should John Mee (May 25)