PortSentry is great attack detection tool. It detects of scans on a host. PortSentry monitors for both TCP as well as UDP scans. It is worth installing and configuring it to improve the server security. Unfortunately this tool is not developed anymore and other hardening options are better solution than using it. But in case you would like to test it, feel free.
Instalation
Debian/Ubuntu
1 | apt-get install portsentry |
Fedora/CentOS
1 | rpm -i portsentry* |
Arch
1 | yaourt -S portsentry |
Configuration
1 | sudo nano /etc/portsentry/portsentry.conf |
Below you can find settings from my configuration. Adjust them to suit your needs or leave as it is to keep ports of your server safe and block any scans.
Port configuration
Uncomment one of the following set of ports
- Un-comment these if you are really anal
- Use these if you just want to be aware
- Use these for just bare-bones
Personally I always choose the first set. By default second set is uncommented.
1 | # Un-comment these if you are really anal: |
Advanced Stealth Scan Detection Options
Here you can add additional ports you want to monitor
1 | ADVANCED_PORTS_TCP="1023" |
Also you can exclude some ports here:
1 | ADVANCED_EXCLUDE_TCP="113,139" |
Configuration Files
Location for ignored, history and blocked hosts.
1 | # Hosts to ignore |
Ignore Options
1 | # 0 = Do not block UDP/TCP scans. |
TCP Wrappers
1 | KILL_HOSTS_DENY="ALL: $TARGET$" |
Port Banner Section
Enter text in here you want displayed to a person tripping the PortSentry.
1 | PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY." |