TCP half-open is not legitimate
"A SYN scan, or half-open scan, waits for a SYN-ACK response from the server and if it receives a response, it does not respond. Such events generally are not logged because a TCP connection is never consummated. These port scans may be malicious reconnaissance or legitimate market and internet research, and the difference is not always obvious."
Having watched quite a bit of traffic, I'll assert that sentence #1 describes unwanted (and thus block-worthy) traffic. A "legitimate" scan would send a RST in response to the SYN-ACK, which would distinguish it from a TCP half-open attack. I recently appeared to have provoked some multiple addresses in ASN55679 to do exactly this (SYN, SYN-ACK, silence) and have since tweaked net.ipv4.tcp_synack_retries=1 and am considering 0 retries (the default is 5).
I whitelist research scans when they provide a tidy list of origins with which to so do — not all do, nor do all provide an easy way to assess the origin, such as providing an explanatory web page at the scan origin address.