| Port scanning can be trivially distributed over multiple IP addresses and rate limited. So blocking one IP address won't do much to block a port scan coming from another IP address. When I tried to apply somewhat similar solutions in the past (e.g. fail2ban), I ended losing access to the server a few times (misconfiguration/bugs/daemon killed/firewall rule conflicts/etc.). A more secure way to prevent port scanning is Single Packet Authorization, e.g. fwknop [1] "SPA requires only a single packet which is encrypted, non-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default-drop filtering stance" Port scans happen all the time, and your security shouldn't rely on hiding that information. Port scans are a mild annoyance, as they litter the logs. I changed SSH to an uncommon port, and saw about a 100x reduction in connection attempts, which is good enough for me. 1. https://github.com/mrash/fwknop |