Screaming Penguin

Sysadmins and security folks should scope out the open source utility PortSentry. It's a sweet program (albeit BETA) that counters all of the port scanning utilities available and blocks alot of the avenues of exploit including blocking the offending host in real time. PortSentry:

Runs on TCP and UDP sockets to detect port scans against your system. PortSentry is configurable to run on multiple sockets at the same time so you only need to start one copy to cover dozens of tripwired services.

Stealth scan detection (Linux only right now). PortSentry will detect SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans. Four stealth scan operation modes are available for you to choose from.

PortSentry will react to a port scan attempt by blocking the host in real-time. This is done through configured options of either dropping the local route back to the attacker, using the Linux ipfwadm/ipchains command, *BSD ipfw command, and/or dropping the attacker host IP into a TCP Wrappers hosts.deny file automatically.

PortSentry has an internal state engine to remember hosts that connected previously. This allows the setting of a trigger value to prevent false alarms and detect "random" port probing.

PortSentry will report all violations to the local or remote syslog daemons indicating the system name, time of attack, attacking host IP and the TCP or UDP port a connection attempt was made to. When used in conjunction with Logcheck it will provide an alert to administrators through e-mail. Another fine freshmeat rip . . er uh . .contribution.