PortSentry is a handy Linux port scan detector and is part of the Sentry Tools pack. The Sentry tools provide host-level security services. PortSentry, Logcheck/LogSentry, and HostSentry protect against portscans, automate log file auditing, and detect suspicious login activity on a continuous basis.
The utility has been around for sometime now and should be available from your repos. In this example I will install it onto a Ubuntu 12.04 Server:
sudo apt-get install portsentry
Edit the the portsentry.conf file located in /etc/portsentry/ e.g. vim /etc/portsentry/portsentry.conf and configure the settings to suit your server environment. By default PortSentry does not block, just logs – to turn on blocking set the BLOCK_TCP=”0″ to BLOCK_TCP=”1″ and BLOCK_UDP=”0″ to BLOCK_UDP=”1″. You can also fine tune other things such as ports and create a white list for local hosts or Intranets.
Restart the service:
To test it out, run a nmap scan from another computer on your network and watch the syslog on the server e.g.
On Server – watch the syslog:
sudo tail -f /var/log/syslog
On the client computer run a nmap scan (using nmap v6.1 here):
sudo nmap -v -A -T4 ubuntuserver
You should soon see the syslog reporting the attack alert and the nmap scan should come to a screaming stop!