The problem with 'detecting' port scanning is that a competent attacker can easily make it appear like legitimate traffic, Anyone who knows how to use --ip-options with Nmap can make it appear like random traffic, anyone with -D can make it appear like the traffic came from somewhere else, anyone with proxies CAN make it come from somewhere else, etc etc. Even if you can detect a port scan - What can you do in the event of a port-scan? Port scans are common enough that locking down services isn't an option (Otherwise you might as well just keep them closed). Its just going to keep you up at night (and flood your email) over a non-issue.
Although its somewhat contentious, In my experience IDS systems aren't worth a whole lot to the average network. If anything, it increases attack space, You're far better off investing your time into ACLs, Network security and HIPS if possible.
If you just want something just for one server you might try something like psad that is based on iptables. That can autoblock anyone running a port scan.
portsentry will be one of the best solutions. While a network IDS such as SNORT will be more robust and serve a greater purpose, portsentry is designed to take an action specific to port scans.
If this server is on a publicly accessible network, such as the Internet, you are going to receive a lot of alerts.
The problem with 'detecting' port scanning is that a competent attacker can easily make it appear like legitimate traffic, Anyone who knows how to use --ip-options with Nmap can make it appear like random traffic, anyone with -D can make it appear like the traffic came from somewhere else, anyone with proxies CAN make it come from somewhere else, etc etc. Even if you can detect a port scan - What can you do in the event of a port-scan? Port scans are common enough that locking down services isn't an option (Otherwise you might as well just keep them closed). Its just going to keep you up at night (and flood your email) over a non-issue.
Although its somewhat contentious, In my experience IDS systems aren't worth a whole lot to the average network. If anything, it increases attack space, You're far better off investing your time into ACLs, Network security and HIPS if possible.
For this sort of thing you want an IDS (Intrusion Detection System). Probably the most popular that runs on Linux is Snort.
If you just want something just for one server you might try something like psad that is based on iptables. That can autoblock anyone running a port scan.
portsentry will be one of the best solutions. While a network IDS such as SNORT will be more robust and serve a greater purpose, portsentry is designed to take an action specific to port scans.
If this server is on a publicly accessible network, such as the Internet, you are going to receive a lot of alerts.