[rsync]

Port scanning is neither irregular nor is it abuse.

We should treat attempts to block port scanning the same way we treat blocking ICMP ECHO or traceroute traffic: with derision and contempt.

If your (infra) is so fragile that you're worried about port scans, you're doing something wrong.

[mordechai9000]

I kind of agree. It's mostly automated searches for targets with known vulnerabilities or default credentials. It's fine to block it, but it's not really contributing much to overall security.

The fact is, a serious attacker isn't going to trigger an "x events in y seconds" rule, and even if they do it's not going to stop them.

People get very worked up about port scans and ping sweeps, even spending time manually managing block lists or responding to alerts for simple bot traffic. It's security theater.