Contents:


About this document

2. Portsentry and PSAD

2.1. Portsentry

Portsentry is an easy-to-build-and-install relatively simple application that is designed to detect portscans and other suspicious (multiple) connectsion and, if so configured, block them by calling an external command (see below).

Portsentry was originally written by Psionic who were acquired by Cisco. It is now available via Sourceforge.

Specifically, PortSentry runs as a daemon on the protected host. When running, it listens to TPC/UDP ports. PortSentry is very easy to configure --- the configuration files live in /etc/portsentry.

It can be argued that binding to a load of ports like this is bad.

The method by which Portsentry blocks hosts is configurable via the KILL__ROUTE command (in portsentry.conf, for example:

    # -- Linux running IP Tables :
    KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
    #
    # -- Generic Solaris :
    # KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"

2.2. PSAD

PSAD is available under the GPL from Cipherdyne.

From the Web page:

PSAD is a collection of three lightweight system daemons...that run on Linux machines and analyze IPTables log messages to detect port scans and other suspicious traffic.

PSAD incorporates many signatures from the Snort intrusion detection system to detect probes for various backdoor programs..., DDoS tools..., and advanced port scans... When combined with FWSnort, PSAD is capable of detecting approximately 75% of all Snort rules...


...previousup (conts)next...