A portscan is a series of probes sent to one or more ports of a target system in an attempt to enumerate which Services are running on the target system. While information obtained by a portscan can be used for legitimate purposes, such as diagnosing networking problems, it can also be used for identifying potentially vulnerable applications that can be further exploited by an attacker. A portscan is often used in the initial information gathering stages of attack, so identifying and reacting to them is an important part of keeping your system secure.
A number of good tools are available for detecting these types of scans. However most linux distributions do not include or enable them by default. They must either be specifically selected during the installation process or downloaded from a third-party site.
Portscan Detection Tools:
Snort is a full-blown Network Intrusion Detection System (NIDS) that can detect a wide variety of malicious traffic including portscans. The portscan detection function of Snort is handled by a dedicated preprocessor that allows fine tuning of detection parameters such as number of ports and time frame used for determining if an alert should be generated. There are a number of add-ons for Snort such as ACID, SnortCenter, and PigSentry that can extend its functionality.
Portsentry uses a daemon to monitor ports specified in a configuration file. When one of the monitored ports is triggered by a scan, Portsentry dynamically blocks the IP address of the attacker using either iptables or tcp wrappers.
PSAD (Port Scan Attack Detector) integrates with Iptables and uses a set of logging rules to detect portscan activity. When the system is scanned, iptables generates log messages which are monitored by the psad daemon. PSAD differs from the previous tools in that it doesn't directly listen for malicious traffic, but rather functions behind the Firewall. This theoretically makes exploiting vulnerabilities in the network stack or PSAD daemon itself more difficult. PSAD also includes a number of rules for detecting other types of malicious traffic such as backdoor activity or DDoS attacks. When combined with fwsnort PSAD can detect approximately 70% of the types of malicious traffic detectable with Snort.
Scanlogd scanlogd is a very small (as in size) TCP port scan detection tool & has a very low administrative overhead. It runs a scanlogd daemon & logs the port scans in /var/log/alert file.
- The nmap program is a well-documented port scanner program. It is provided by many distros in order that a network administrator can look for security holes before the bad guys get there.
- The netcat (nc) utility is a general network data transfer tool that can be invoked to do just port scans. There is a traditional version and one rewritten for OpenBSD, which is generally considered superior.
- The telNet utility is a general network data transfer too that can be invoked to do port scans like this:
# telnet localhost 22 Trying ::1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_5.4
Shows us that port 22 is open. To get out of this dialog just press enter.
# telnet localhost 1025 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused
Shows us that port 1025 is closed.