PortSentry – a port watcher
PortSentry is a program which watches connections on your ports
and sends you warning messages if someone scans them.. It’s good for most port scans
but not all.
This is from /usr/ports/security/portsentry/pkg/DESCR:
PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time. There are other port scan detectors that perform similar detection of scans, but PortSentry has some unique features that may make it worth looking into WWW: http://www.psionic.com/abacus/portsentry/
Disclosure: I’m the port maintainer for PortSentry.
Installing
Remember, I have the entire ports tree.
So it was easy.
cd /usr/ports/security/portsenty make make install
Configuring
Sorry, but I’ve lost my notes for this install. The rest of this
article is from memory.
The first thing is to fetch everything:
You should read /work/portsentry-1.0/README.install. The important
steps are:
- copy /usr/local/etc/portsentry.conf.default to /usr/local/etc/portsentry.conf
- modify /usr/local/etc/portsentry.conf to your liking (see below)
- add hosts which should be ignored to /usr/local/etc/portsentry.ignore
As time goes on, you might want to add things to /usr/local/etc/portsentry.ignore
but use caution.
Running
Again, see work/portsentry-1.0/README.install, especially
"STEP 5". I tried running portsentry this way:
portsentry -tcp portsentry -udp
I once was confident on portsentry detection.. but suddenly somebody told me that it can be used for a (kind of) DoS. I found no referencies on this, can you please point my nose to the right track ?? <g> 🙂
btw, if I cannot foud this, it is problably a false assumption.. but I am paranoid. 😀
thank you.
the DoS is mentioned in the documentation and the README’s.