psad (Port Scan Attack Detector) is a free, open-source tool that is used to detect and block port scan attacks in real-time on a Linux system. It is designed to work with the iptables firewall and provides a set of scripts and tools that can be used to detect and block port scan attacks as they occur.
To use psad to detect and block port scan attacks on a Linux system, you will need to install and configure the tool. Here are the general steps for installing and configuring psad on a Linux system:
$ apt-get install psad
Edit the /etc/psad/psad.conf configuration file to specify the email address where alerts should be sent, the network interfaces that should be monitored, and other settings.
Edit the /etc/psad/auto_dl file to specify the IP addresses and networks that should be blocked when a port scan attack is detected.
Run the psad --sig-update command to download the latest signature definitions.
Restart the psad service to apply the configuration changes:
$ systemctl restart psad
Once psad is installed and configured, it will automatically detect and block port scan attacks on the system in real-time. You can use the psad --Status command to view the current status of the tool, and the psad -H command to view the history of detected port scan attacks.
These are just a few examples of how to use psad to detect and block port scan attacks on a Linux system. The specific steps may vary depending on the distribution and version of Linux that you are using. You can refer to the documentation for psad for more information on how to use the tool.