RE: port scan detected

It still records the port scan...even if it drops the packet (at least
that's my understanding).

 

Brian W. Rogers         

Operations Engineer

Tree of Life Corporation 
 <mailto:rogersb@xxxxxxxxxxxxxx> rogersb@xxxxxxxxxxxxxx 
office: (904)940-2152 
mobile: (904)806-7173

 

-----Original Message-----
From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, August 20, 2003 11:26 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected

 

http://www.ISAserver.org

Tom,

 

Interesting thing happened today. After creating a packet filter to block an
IP, two days ago, he port scanned me again this morning. Can you explain
this? Thanks.

 

Mark

 

  _____  

From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, August 19, 2003 4:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected

 

http://www.ISAserver.org

Hi Mark,

 

Sure. Human eyes must evaluate the nature of the attack, and human eyes must
evaluate the source location.

 

For example, if the "attack" if some a DNS timeout issue with your DNS
server, do you want to block that?

 

Another example, if the "attack" is from another admin testing his "skills"
from home, do you want to block that?

 

Another example, the IDS is misconfigured, do you want to block what it
says?

 

Another example, a legit host is infected and cleaned. Now that host is
blocked. Do you want to block that and then deal with connectivity issues
when you forgot about your blocking filters or try to fish out the blocked
host address from the thousands you your list?

 

Harden your hosts, use Application and Web filters, never publish a Web site
using an IP address, all the basic stuff. That's a lot more effective than
blocking addresses willy nilly. 

 

YMMV,

Tom

 

Thomas W Shinder

 <http://www.isaserver.org/shinder> www.isaserver.org/shinder 

ISA Server and Beyond: http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> 

Configuring ISA Server:  <http://tinyurl.com/1llp> http://tinyurl.com/1llp

 

-----Original Message-----
From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, August 19, 2003 2:13 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected

http://www.ISAserver.org

Tom,

 

Could you elaborate on this "intelligent address blocking"? Thanks.

 

Mark

 


  _____  


From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Tuesday, August 19, 2003 1:59 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected

 

http://www.ISAserver.org

Ni Brian,

 

Nor should you. Blocking addresses that scan you is like shooting at cars
that drive past your home and look at your windows and front door. :-) Be
aware of the attempt, but you'll end up making a critical error sooner or
later if you block addresses without putting some intelligence behind the
block.

 

HTH,

Tom

 

Thomas W Shinder

 <http://www.isaserver.org/shinder> www.isaserver.org/shinder 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mark.hopkins@xxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
rogersb@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub') 

Other related posts: