Port Scan Detection and Active Defense System

PortSentry is part of the Abacus Project suite of security tools. It is a program designed to detect and respond to port scans against a target host in real-time. Some of its more useful features include:

• Runs on TCP and UDP sockets to detect port scans against your system. PortSentry is configurable to run on multiple sockets at the same time so you only need to start one copy to cover dozens of tripwired services.
  
  
• Stealth scan detection (Linux only right now). PortSentry will detect SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans. Four stealth scan operation modes are available for you to choose from.
  
  
• PortSentry will react to a port scan attempt by blocking the host in real-time. This is done through configured options of either dropping the local route back to the attacker, using the Linux ipfwadm/ipchains command, *BSD ipfw command, and/or dropping the attacker host IP into a TCP Wrappers hosts.deny file automatically.
  
  
• PortSentry has an internal state engine to remember hosts that connected previously. This allows the setting of a trigger value to prevent false alarms and detect "random" port probing.
  
  
• PortSentry will report all violations to the local or remote syslog daemons indicating the system name, time of attack, attacking host IP and the TCP or UDP port a connection attempt was made to. When used in conjunction with Logcheck it will provide an alert to administrators through e-mail.
  
  
• Once a scan is detected your system will turn into a blackhole and disappear from the attacker. This feature stops most attacks cold.

As with all of the Abacus Project tools it is designed to have an easy configuration and be maintenance free.

Updates at a glance for version 1.1

• Corrected CPU consumption bug under Linux 2.4 kernels.
  
  
• Netmask ignoring support.
  
  
• Enable/Disable DNS resolution.
  
  
• Selective ordering of external command to occur before or after blocking.
  
  
• Various other bug fixes.
  
  

Getting the tool

• Read the DISCLAIMER.
• Download the PortSentry: portsentry-1.1.tar.gz
• portsentry-1.0.tar.gz
• portsentry-0.61.tar.gz
• portsentry-0.50.tar.gz
• Download the PortSentry PGP signature
• Download Craig Rowland's PGP key
• Look at the CHANGES file.
• PortSentry compiles on most Unix systems. View the compatibility list.
• Look at a sample report (with Logcheck running).

Why Look For Port Scans?

A port scan is a symptom of a larger problem coming your way. It is often the pre-cursor for an attack and is a critical piece of information for properly defending your information resources. Additionally, a system connecting or scanning your host unsuccessfully allows you to take the information to check on the status of other hosts under your control that maybe weren't so lucky.

What kind of scans does it detect?

PortSentry will detect any connection made to a TCP or UDP port on your host that you tell it to listen to. A configuration file can be made to have it listen to dozens of ports at once to detect anything from a full-fledged sequential port sweep to a random port probing. Because it covers the UDP spectrum as well it will alert you to people probing for RPC services surreptitiously as well as TFTP, SNMP, etc.

PortSentry also has two advanced stealth scan detection modes that greatly increase the detection capability of the tool.

As of now PortSentry supports the following modes of operation:

Classic Mode PortSentry will bind to pre-defined TCP and UDP ports to wait for a connection, it will then react to block the host. This is how version 0.50 and below worked. This is compatible with most UNIX systems out there and the -tcp is the only mode endorsed by Psionic Software, Inc. for various reasons described in the documentation. Enhanced Stealth Scan Detection Mode (Linux Only) PortSentry includes two new modes of operation. Mode one will monitor a list of ports supplied for stealth scans (SYN/FIN scans, etc.) and will then react accordingly. It is very similar to classic mode, except ports are no longer captured using bind(), instead a raw socket is used to analyze connections. Advanced Stealth Scan Detection Mode (Linux Only) Mode Two is what is called "Inverse Port Binding." In this mode PortSentry will first check to see what ports you have running, it will then remove these ports from monitoring and will begin watching the remaining ports. This is very powerful and reacts exceedingly fast for port scanners. It also uses very little CPU time. Additionally, it incorporates an active state check, where protection is dropped for newly bound network ports. This prevents alarms on protocols such as FTP which often connect back to the client. Once the connection has been torn down, then PortSentry will again start monitoring that port!

What stealth scans does it detect?

Both stealth scan methods react to the most common stealth scan methods available (from tools such as nmap). This includes SYN scans, FIN scans, standard connect() calls, and "unusual" packets (e.g., varying TCP flags, NULL scans, X-MAS scans) if seen coming into your system.

Does it detect random port scanning?

Yes, PortSentry has an internal engine that will remember hosts that connected to it in the past. Once the user defined threshold has been crossed it will activate.

All Material Copyright © 1996 - 2001 by Psionic Software, Inc. All rights reserved.