Portscans/IP list (Was: Re: [cobalt-users] PortSentry works !)

["Nico Meijer" <cobalt-users@xxxxxxxxxxxxxxx>]

Hi gsh,

> > So, perhaps an off list scan consortium?
>
> I think from a strictly technical point of view such a list has
> questionable value, most of the IP's i see than go scanning the usual
> ports are dialup/cable modem users, a day after the fact , if not sooner ,
> they have some other IP and some other poor slob has the one they used, so
> theres' not really much point, i don't think i have seen the same IP show
> up a second time...

You're absolutely right. Nobody in their right mind goes about scanning
hosts from a fixed IP.

Actually, I meant something else. Obviously, I haven't been clear enough.
People in this list have stated that they should scan their own machines
from their own machines on a regular basis. I don't think this will work.

Most people prolly grant all/most access to their own machine *from* their
own machine(s). For instance, if you have telnet enabled, you almost certain
have strict rules as to which IP's can connect to it. Scanning it from your
own machine will be of little value, since a lot of ports which most other
machines cannot connect to will show up as open.

Therefore, I think it would be of more value when other people scan other
people's machines on a regular basis. For instance, I could scan your
box(en) automatically once a week/day from an IP you have nowhere in your
hosts.allow or an ipchains rule. So I would see everything from a real,
untrusted Internet connection. Done through a cron job, you could
automatically be notified of the results.

Likewise, someone else - perhaps you - could regularly scan *my* machine so
I'd know what the state of it is and what portscanning kiddiez see.

That is what I meant with the "scan consortium".

> So, really, i see little actual value...

I hope I clarified my point and its usefulness. If not, say so, please.

Have a good one... Nico