Is there any Linux app available for port scanning monitoring?

Something that will run in background and alert me on mail if some ip is port scanning the server.


Solution 1:

The problem with 'detecting' port scanning is that a competent attacker can easily make it appear like legitimate traffic, Anyone who knows how to use --ip-options with Nmap can make it appear like random traffic, anyone with -D can make it appear like the traffic came from somewhere else, anyone with proxies CAN make it come from somewhere else, etc etc. Even if you can detect a port scan - What can you do in the event of a port-scan? Port scans are common enough that locking down services isn't an option (Otherwise you might as well just keep them closed). Its just going to keep you up at night (and flood your email) over a non-issue.

Although its somewhat contentious, In my experience IDS systems aren't worth a whole lot to the average network. If anything, it increases attack space, You're far better off investing your time into ACLs, Network security and HIPS if possible.

Solution 2:

For this sort of thing you want an IDS (Intrusion Detection System). Probably the most popular that runs on Linux is Snort.

If you just want something just for one server you might try something like psad that is based on iptables. That can autoblock anyone running a port scan.