RE: port scan detected
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 20 Aug 2003 13:27:06 -0700
Mmmmm... aluminum chewing gum...
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "cismic" <cismic@xxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, August 20, 2003 12:12
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
If I only had a package of foil every time someone said that!
-----Original Message-----
From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, August 20, 2003 8:26 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
Tom,
Interesting thing happened today. After creating a packet filter to
block an IP, two days ago, he port scanned me again this morning. Can
you explain this? Thanks.
Mark
_____
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 19, 2003 4:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
Hi Mark,
Sure. Human eyes must evaluate the nature of the attack, and human eyes
must evaluate the source location.
For example, if the "attack" if some a DNS timeout issue with your DNS
server, do you want to block that?
Another example, if the "attack" is from another admin testing his
"skills" from home, do you want to block that?
Another example, the IDS is misconfigured, do you want to block what it
says?
Another example, a legit host is infected and cleaned. Now that host is
blocked. Do you want to block that and then deal with connectivity
issues when you forgot about your blocking filters or try to fish out
the blocked host address from the thousands you your list?
Harden your hosts, use Application and Web filters, never publish a Web
site using an IP address, all the basic stuff. That's a lot more
effective than blocking addresses willy nilly.
YMMV,
Tom
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
<http://tinyurl.com/1llp>
-----Original Message-----
From: Mark Hopkins [mailto:Mark.Hopkins@xxxxxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 19, 2003 2:13 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
Tom,
Could you elaborate on this "intelligent address blocking"?
Thanks.
Mark
_____
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, August 19, 2003 1:59 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: port scan detected
http://www.ISAserver.org
Ni Brian,
Nor should you. Blocking addresses that scan you is like
shooting at cars that drive past your home and look at your windows and
front door. :-) Be aware of the attempt, but you'll end up making a
critical error sooner or later if you block addresses without putting
some intelligence behind the block.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mark.hopkins@xxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
