Over the past week or so, I've seen several "[WARN-856] Portscan detected" notifications. I wanted to verify that I currently have our Anti-Portscan settings set to the best / correct option.
I'm running UTM 9.308-16 and my current Anti-Portscan setting is set to "Drop Traffic", which sounds like what I'd want to silently drop scan traffic and be in maximum "stealth" mode (ie not respond to the scanner at all and appear as if there's nothing at my IP address).
However, when reading the UTM's built in Help, it describes "Drop Traffic" as:
"Further packets of the portscan will be silently dropped. A port scanner will report these ports as filtered."
I don't want these ports to be reported as "filtered"; I want them to not be reported at all, as if they don't exist. At least I think that this is what I want [:S]
Is "stealth mode" something that I should be trying to achieve? I know that this was recommended years ago, but I didn't know if the philosophy has changed.
If "stealth mode" is what I need to achieve, is "Drop Traffic" the correct setting or should I be using "Log Event Only"?
Thanks in advance,
- Ben
This thread was automatically locked due to age.
