mailing list archives
From: "Eric Hancock" <eric () bitpuddle com>
Date: Wed, 24 May 2000 10:58:40 -0400
As a new firewall admin I have a question for the white hats. I log port
scans and do a whois to locate the ISP that owns the ip address. My questions
is what else
can/should be done. I have no other reason to believe they got through or
committed any crime. What else are you guys doing? I hope this is not to
far off topic.
For most servers, I log the scan and drop the originating IP address into
hosts.deny (or equivalent). If I see repeated scans, or particularly
malicious ones, I'll send a note to that domain's administrators. Any more
than that might piss someone off enough to really try to break in, or DOS
me, or whatever.
For web servers and public FTP sites (where I wouldn't necessarily want to
block hosts wholesale) I'll log suspicious activity and investigate.
Typically, though, the webservers are only serving pages, so they can be put
in a DMZ and sufficiently hardened.