Portsentry is a nice little program that will look on specified ports you ask it to to find script kiddies trying to scan your computer for open ports. As we all know, some specified ports are used by specific Trojans, and those scanners check those first. Portsentry can, in less than 1 second, disable access to the scanner (remote machine IP) either silently or by sending an error message. It of course logs all activity and is highly configurable.
First of all, download the new version from:
http://www.psionic.com/
There are numerous similar packets there, like hostsentry and logsentry, all doing specific and similar jobs. I will refer to the Portsentry 1.1 version, which is the only one I got to work. 2beta is way different than 1.1 in the methods used and still unstable.
After you download it into a directory you remember I assume, using tar, you need to get it compiled and installed. make linux should compile it and su -c "make install" should install it. It's that simple.
Now, after we managed to finish the installation, scroll over to /usr/local/psionic/portsentry/ to find the portsentry.conf file. Use your favourite editor to open it (like vi or pico) and scroll through the file. The comments are so complete and comprehensive, it's silly for me to even try to explain what you need to do. But I suggest uncommentic the anal options as they are called, unless you have intensive network use that want to maintain.
Apart from that, the only thing you really need to change is the KILL_ROUTE option that can be found towards the end of the file. You need to choose the appropriate one for you Linux distro. Assuming you have 2.4 kernel (mdk 8 and up I believe), you need to uncomment [ip tables support for linux[/b] line. If you use a 2.2 kernel, it means you are using ipchains, so choose the appropriate line to uncomment.
Now, on the very end of the file, you need to choose whether you want to enable a message to be sent to the intruder, or just drop the package. No matter what you choose, the attacker/cracker is bound to be denied access for now and future attempts, so feel free to do what you want. Please, have it in mind that this is not a firewall. All it does is check who scans your ports fast. If the scan is done slowly or the cracker already knows which port your backdoor is and only attempts one connection to it, you are a little bit doomed.
Have fun checking your logs people! One more thing... Add it in your rc.local to have it start when your PC starts.
echo "Starting PortSentry"
/usr/local/psionic/portsentry/portsentry -atcp
/usr/local/psionic/portsentry/portsentry -audp
echo "Done"
This should do it. Enjoy people :) The logs are in /usr/local/psionic/portsentry. To check it out, try to log into and Undernet IRC server which port scans you to ensure you are not a proxy server. It should give you a message saying:AUTH :*** Can't lookup your hostname. and then connect you.
Note: A useful program if you already have a firewall up is psad, at http://www.cipherdyne.com/index.html
