The PortSentry package from Psionic Technologies is
actually a bit of a cross between intrusion prevention and detection. It
watches your network connection, and if it sees any attempts to connect to
your system that it deems "suspicious," it will log the event and then
block it from happening again. It, too, can be found in Resources at the end of this tutorial.
When you have it installed and running, you will be able to see any
attempted connections and how PortSentry responded to them in your syslog:
# tail /var/log/messages
Oct 15 00:21:24 mycroft portsentry[603]: attackalert:
SYN/Normal scan from host: 302.174.40.34/302.174.40.34 to TCP port: 111
Oct 15 00:21:24 mycroft portsentry[603]: attackalert:
Host 302.174.40.34 has been blocked via wrappers with string:
"ALL: 302.174.40.34"
Oct 15 00:21:24 mycroft portsentry[603]: attackalert:
Host 302.174.40.34 has been blocked via dropped route using command:
"/sbin/route add -host 302.174.40.34 reject"
Oct 15 00:21:24 mycroft portsentry[603]: attackalert:
SYN/Normal scan from host: 302.174.40.34/302.174.40.34 to TCP port: 111
Oct 15 00:21:24 mycroft portsentry[603]: attackalert:
Host: 302.174.40.34/302.174.40.34 is already blocked Ignoring
Oct 15 00:33:59 mycroft portsentry[603]: attackalert:
SYN/Normal scan from host: 302.106.103.19/302.106.103.19 to TCP port: 111
Oct 15 00:33:59 mycroft portsentry[603]: attackalert:
Host 302.106.103.19 has been blocked via wrappers with string:
"ALL: 302.106.103.19"
Oct 15 00:33:59 mycroft portsentry[603]: attackalert:
Host 302.106.103.19 has been blocked via dropped route using command:
"/sbin/route add -host 302.106.103.19 reject"