PortSentry – Linux port scan detector

PortSentry is a handy Linux port scan detector and is part of the Sentry Tools pack. The Sentry tools provide host-level security services.  PortSentry, Logcheck/LogSentry, and HostSentry protect against portscans, automate log file auditing, and detect suspicious login activity on a continuous basis.

The utility has been around for sometime now and should be available from your repos. In this example I will install it onto a Ubuntu 12.04 Server:

 sudo apt-get install portsentry

Edit the the portsentry.conf file located in /etc/portsentry/ e.g. vim /etc/portsentry/portsentry.conf and configure the settings to suit your server environment. By default PortSentry does not block, just logs – to turn on blocking set the BLOCK_TCP=”0″ to BLOCK_TCP=”1″ and BLOCK_UDP=”0″ to BLOCK_UDP=”1″. You can also fine tune other things such as ports and create a white list for local hosts or Intranets.

Restart the service:

 /etc/init.d/portsentry restart 

To test it out, run a nmap scan from another computer on your network and watch the syslog on the server e.g.

On Server – watch the syslog:

 sudo tail -f /var/log/syslog 

On the client computer run a nmap scan (using nmap v6.1 here):

 sudo nmap -v -A -T4 ubuntuserver 

You should soon see the syslog reporting the attack alert and the nmap scan should come to a screaming stop!



Bookmark the permalink.