After receiving an Abuse Notice from my server provider, i was wondering how they make to check up all my traffic and send me these abuses. I would possible like to know if there is some kind of software that i can download so that i can stop my clients from doing malicious activities.. or atleast notice me before my provider treathens me.
I have seen some things like Snort, NodeWatch and VPSmon, but none of them 'Control' VPS machines from port scanning.
Any help out here would be far more than appreciated
Edit : I am not trying to stop people from the outside to port scan, but people from the inside to port-scan the internet, AKA my clients from doing malicious activites :)
Outbound ACL's
At our firewall configure outbound ACL's so your users can can only consume the services on the Internet that you allow.
I imagine that an outbound port http and https rule with an any>any would be fine. DNS would be consumed internally (assumption on my part) and that would probably solve your problem.
Since you are a VPS provider and I assume your customers get root on their VPS, there is very little you can do on the network stack, since filtering won't block or detect everything and very likely you'll get a lot of false poitives. You could configure iptables to filter certain repeting tcp flags in short time span intervals, log them and use something to send you notifications
Only other solution I can think of is scanning your customers filesystem with a rootkit scanner such as https://rootkit.nl/projects/rootkit_hunter.html or similar looking for know tools. But you might face privacy concerns from you customers.
Using something called PSAD, it is now blocking port scans. pSAD check the logs and you can set danger levels such example : 15 scans = level1, 50 scans = level2 etc.. and get notified on a certain level of danger.
If you have any problems of port scannings, I highly recommend looking at the pSAD http://cipherdyne.org/psad/
It does the intrusion detection automatically, and you dont need to go change things in the IP tables as it takes care of this itself.
Thanks to @ecelis for his comment as it brough me towards this discovery.