Good chance you can install via your distibutions package manager. If not the 'Sentry Tools' article on this page contains a like that can be used to download the program.
$ apt-cache search portsentry
portsentry - Portscan detection daemon
Installing from source:
(1) Check, read your versions documention
(2) Verify (change if applicable) the contents of the 'portsentry_config.h' file
CONFIG_FILE Path to the PortSentry configuration file.
WRAPPER_HOSTS_DENY Path and name of TCP wrapper hosts.deny file.
SYSLOG_FACILITY Syslog facility for PortSentry to use.
SYSLOG_LEVEL Syslog level to send messages.
(3) Verify (change if applicable) the configuration file - portsentry.conf
TCP_PORTS ',' delimited string of TCP ports to listen to.
Default limit of 64.
UDP_PORTS As TCP
ADVANCED_PORTS_TCP Any port *below* this number is then monitored.
The default is 1024.
ADVANCED_PORTS_UDP As above, except for UDP.
ADVANCED_EXCLUDE_TCP ',' delimited string of TCP ports that should be manually
excluded from monitoring in Advanced mode.
ADVANCED_EXCLUDE_UDP As above, except for UDP.
IGNORE_FILE Path to file that contains IP addresses of hosts you want to
always be ignored.
BLOCKED_FILE Path to the file that contains the IP addresses of blocked
RESOLVE_HOST Turns off DNS resolution for hosts. If slow DNS good idea.
BLOCK_UDP Disables all automatic responses to UDP probes. UDP can be
easily forged, it may allow an attacker to start a denial
of service attack against the protected host. "0" will
disable all responses, although the connects are still
logged. Useful for Internet exposed hosts. For internal
hosts you should leave this enabled.
BLOCK_TCP As above but for TCP. Packet forgery not as big a problem.
KILL_ROUTE Command to drop the offending route if an attack is detected
i.e. /sbin/route with $TARGET$ macro substituting IP of
attacker, gateway should be a 'dead host' or 127.0.0.1.
Can use -blackhole or -reject. Example command:
KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
KILL_HOSTS_DENY Format of the string to drop into the hosts.deny file that
TCP wrapper uses. Again the $TARGET$ macro is expanded out
to be the IP of the attacker and is required.
KILL_RUN_CMD A command to run *before* the route is dropped to the
attacker. $TARGET$, $PORT$ and $MODE$ macros are available.
KILL_RUN_CMD_FIRST "0" tells cmd above to run before the route is dropped.
"1" makes cmd run after the blocking has occurred.
SCAN_TRIGGER PortSentry has a state engine that will remember hosts that
have connected to it. Setting this value will tell
PortSentry to allow X number of grace port hits before it
reacts. The default is 0 which will react immediately. A
setting of 1 or 2 will reduce false alarms, anything higher
is probably too much
PORT_BANNER Text banner you want displayed to the connecting host if
PortSentry is activated.
(4) Edit portsentry.ignore file
Add any host you want ignored if it connects to a tripwired port, should always contain at least the localhost (127.0.0.1) and the IP's of the local interfaces.
# Format: <IP address>/<Netmask Bits>
Example 'portsentry.ignore' entries.
(4) Compile the package
- Default directory is /usr/local/psionic/portsentry.
- Edit the Makefile and make sure your portsentry.conf and portsentry_config.h files reflect the new path then
$ sudo make install