Using PortSentry
A cracker will usually first look to see what services a target is running and go from there to attempt to break into the target server. Doing a port scan, crackers go through all the common ports on a system looking for possibly flaws in the configuration or for a service with a known vulnerability.
PortSentry is a program designed to detect and respond to port scans against a target host in real-time. It can run on multiple TCP and UDP sockets at once, detect stealth scans, report scan attempts to a local or remote logging facility, and take defensive actions against the attacker.
Installation
First, download PortSentry from here.
Then, run:
tar xvzf portsentry-1.0.tar.gz cd portsentry-1.0 make linux make install
If you have any problems with this, read the portsentry-1.0/README.install file.
Configuration
The PortSentry configuration file is located at /usr/local/psionic/portsentry/portsentry.conf. If needed, change the configuration where necessary to suit the needs of the system. Blocking scans is recommended, but if ipchains is used, the -l options should be used with care because it can be used in a denial of service attack by filling up your /var partition.
Once finished editing the configuration file, add any addresses that shouldn't be reported for scanning to the /usr/local/psionic/portsentry/portsentry.ignore file. At the very least, all local interfaces should be listed in the file along with 0.0.0.0. Here is an example portsentry.ignore file.
127.0.0.1 0.0.0.0 192.168.1.6Using PortSentry
The different options for running PortSentry are:
portsentry -udp portsentry -tcp portsentry -audp portsentry -sudp portsentry -atcp portsentry -stcp
With either the -udp or the -tcp options, normal scan detection is done. With -sudp and -stcp, normal stealth scan detection is done. With -audp or -atcp, advanced stealth scan detection is done. It is recommended that two instances of PortSentry are running.
/usr/local/psionic/portsentry/portsentry -sudp
and
/usr/local/psionic/portsentry/portsentry -atcp
Adding the above two commands to /etc/rc.d/rc.local will have PortSentry automatically started at boot up.
More Information
Check out this article. Also, here is an article about setting up PortSentry to log to a separate file. At DEFCON 7, the author of PortSentry made a presentation with the slides that are shown here.