Being quite familiar with nmap and other port scan programs, I hadn’t really played around with many port scan detection programs on the Linux Operating System. I recommend and run ossec.net as an excellent host based intrusion detection program on all my linux machines, however this does not have a native port scan detection capability. On the ossec wiki there is an article about using ossec and iplog to detect port scans.
After some investigation I have found that psad is an excellent and powerful solution. It had occurred to me to integrate the logging of psad with ossec.net for alerting which is entirely feasible, however I have found that the native psad email alerting works very well.
Basically psad is a perl based daemon that monitors the output of iptables logging. So it is just a matter of installing psad, editing the psad.conf and enabling iptables logging.
On Ubuntu (tested on 10.04 and 10.10):
#apt-get install psad
The configuration file is pretty self explanatory but here are a couple of things to look at:
EMAIL_ADDRESSES email@example.com; this is where the email alerts will be sent
HOME_NET NOT_USED; ### only one interface on box
IGNORE_PORTS udp/53; ### this was causing some alarms as my machine did dns resolves.
MIN_DANGER_LEVEL 1; ## setting alerting levels. I left this at 1 but upped the email alert danger level
### Only send email alert if danger level >= to this value.
EMAIL_ALERT_DANGER_LEVEL 3; ## leaving this at 1 will give you alarms evertime a worm ping’s your box.