A handy piece of software for detecting and dealing with port
scans is PortSentry. This article looks into installation and basic
configuration of this package:
"As any administrator knows, a successful network
rollout begins and ends with security. No matter how much money is
spent on a system with the latest and greatest hardware and
software, the system can be rendered worthless if its security is
compromised. Unfortunately, keeping up with system security can be
tedious. Administrators must stay aware of updates to software as
well as the latest system compromise techniques. Due to this
difficult task, system security is often not maintained and is
lacking in many areas. This is illustrated by the increased number
of reports that entail system compromise. This dilemma changed for
me when I discovered the freeware tools offered by Psionic
Software, Inc. called PortSentry and Logcheck. Within minutes,
these tools can be installed and configured to improve system
security dramatically.
Once a host is targeted by an attacker, a port scan is almost
always performed. The port scan is done to expose all services
available on the target host and to provide a starting point for
break-in attempts. PortSentry detects such scans by monitoring the
unused ports on the host. Upon a connection attempt to one of the
unused ports, PortSentry is alerted and has the ability to issue a
number of commands in response to the scan. The commands issued are
configured by the administrator within a configuration file.
Although any command may be used, the most helpful is one in which
the IP address of the attacker's host is essentially "black holed"
by issuing a routing command that denies all traffic from that
address. The violation and corresponding action taken by PortSentry
are recorded in the system log. Using another Psionic utility,
Logcheck, these security alerts are e-mailed to an administrator at
designated intervals. Thus, the host is now capable not only of
retaliating against a potential break-in attempt automatically, but
also of notifying the administrator of the occurrence."