Port Sentry IDS

PortSentry is part of the Abacus Project suite of tools. The Abacus Project is an initiative to release low-maintenance, generic, and reliable host based intrusion detection software to the Internet community. More information can be obtained from http://www.psionic.com.

PortSentry has a number of options to detect port scans, when it finds one it can react in the following ways:

• A log indicating the incident is made via syslog()
• The target host is automatically dropped into /etc/hosts.deny for TCP Wrappers
• The local host is automatically re-configured to route all traffic to the target to a dead host to make the target system disappear.
• The local host is automatically re-configured to drop all packets from the target via a local packet filter.

The purpose of this is to give an admin a heads up that their host is being probed. There are similar programs that do this already (klaxon, etc.) I just add a little twist to the whole idea (auto-blocking), plus extensive support for stealth scan detection.

PortSentry has four "stealth" scan detection modes. Method one uses a pre-defined list of ports to watch over. If someone pokes at them it activates. The second method is what I call "inverse" port binding. Where every port under a range is watched *except* for those that the system has bound for network daemons when the PortSentry starts or ones that you've manually excluded. This is a very sensitive way for looking for port probes, but also the most prone to false alarms.