psad: Linux Detect And Block Port Scan Attacks In Real Time

Q. How do I detect port scan attacks by analyzing Debian Linux firewall log files and block port scans in real time? How do I detect suspicious network traffic under Linux?

A. A port scanner (such as nmap) is a piece of software designed to search a network host for open ports. Cracker can use nmap to scan your network before starting attack. You can always see scan patterns by visiting /var/log/messages. But, I recommend the automated tool called psad – the port scan attack detector under Linux which is a collection of lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.

psad makes use of Netfilter log messages to detect, alert, and (optionally) block port scans and other suspect traffic. For tcp scans psad analyzes tcp flags to determine the scan type (syn, fin, xmas, etc.) and corresponding command line options that could be supplied to nmap to generate such a scan. In addition, psad makes use of many tcp, udp, and icmp signatures contained within the Snort intrusion detection system.

Install psad under Debian / Ubuntu Linux

Type the following command to install psad, enter:
$ sudo apt-get update
$ sudo apt-get install psad

Configure psad

Open /etc/syslog.conf file, enter:
# vi /etc/syslog.conf
Append following code       |/var/lib/psad/psadfifo

Alternatively, you can type the following command to update syslog.conf:
echo -e ’\t|/var/lib/psad/psadfifo’ >> /etc/syslog.conf
psad Syslog needs to be configured to write all messages to a named pipe /var/lib/psad/psadfifo. Close and save the file. Restart syslog:
# /etc/init.d/sysklogd restart
# /etc/init.d/klogd

The default psad file is located at /etc/psad/psad.conf:
# vi /etc/psad/psad.conf
You need to setup correct email ID to get port scan detections messages and other settings as follows:


Set machine hostname (FQDN):

HOSTNAME          ;

If you have only one interface on box (such as colo web server or mail server), sent HOME_NET to none:

HOME_NET                NOT_USED;  ### only one interface on box

You may also need to adjust danger levels as per your setup. You can also define a set of ports to ignore, for example to have psad ignore udp ports 53 and 5000, use:

IGNORE_PORTS                udp/53, udp/5000;

You can also enable real time iptables blocking, by setting following two variables:

ENABLE_AUTO_IDS             Y;

psad has many more options, please read man pages for further information. Save and close the file. Restart psad:
# /etc/init.d/psad restart

Update iptables rules

psad need following two rules with logging enabled:

iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG 

Here is my sample Debian Linux desktop firewall script with logging enabled at the end:

echo "Starting IPv4 Wall..."
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
modprobe ip_conntrack
BADIPS=$(egrep -v -E "^#|^$" /root/scripts/blocked.fw)
# DROP all incomming traffic
# block all bad ips
for ip in $BADIPS
    $IPT -A INPUT -s $ip -j DROP
    $IPT -A OUTPUT -d $ip -j DROP
# sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Syn"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
# Fragments
$IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
# block bad stuff
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow ssh only
$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT
$IPT -A OUTPUT -p tcp --sport 22 -j ACCEPT
# allow incoming ICMP ping pong stuff
$IPT -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# No smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i eth0 --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i eth0 --dport 137:139 -j REJECT
# Log everything else
# *** Required for psad ****
# Start ipv6 firewall
# echo "Starting IPv6 Wall..."
exit 0

How do I view port scan report?

Simply type the following command:
# psad -S
Sample output (some of the sensitive / personally identified parts have been removed):

[+] psadwatchd (pid: 2540)  %CPU: 0.0  %MEM: 0.0
    Running since: Sun Jul 27 07:14:56 2008

[+] kmsgsd (pid: 2528)  %CPU: 0.0  %MEM: 0.0
    Running since: Sun Jul 27 07:14:55 2008

[+] psad (pid: 2524)  %CPU: 0.0  %MEM: 0.8
    Running since: Sun Jul 27 07:14:55 2008
    Command line arguments: -c /etc/psad/psad.conf
    Alert email address(es):

    src:            dst:            chain:  intf:  tcp:  udp:  icmp:  dl:  alerts:  os_guess:  xx.22.zz.121    INPUT   eth0   1     0     0      2    2        - xx.22.zz.121    INPUT   eth0   1     0     0      2    2        - xx.22.zz.121    INPUT   eth0   1     0     0      2    2        -   xx.22.zz.121    INPUT   eth0   1     0     0      2    2        -
    122.167.xx.11   xx.22.zz.121    INPUT   eth0   4642  0     0      4    50       -
    122.167.xx.80   xx.22.zz.121    INPUT   eth0   0     11    0      1    2        -
    123.134.xx.34   xx.22.zz.121    INPUT   eth0   20    0     0      2    9        -
    125.161.xx.3    xx.22.zz.121    INPUT   eth0   0     9     0      1    4        -
    125.67.xx.7     xx.22.zz.121    INPUT   eth0   1     0     0      2    2        - xx.22.zz.121    INPUT   eth0   0     9     0      1    3        - xx.22.zz.121    INPUT   eth0   0     10    0      1    2        -
    202.xx.23x.196  xx.22.zz.121    INPUT   eth0   0     13    0      1    10       -
    202.xx.2x8.197  xx.22.zz.121    INPUT   eth0   0     20    0      2    17       -  xx.22.zz.121    INPUT   eth0   0     17    0      2    12       -  xx.22.zz.121    INPUT   eth0   0     18    0      2    15       -  xx.22.zz.121    INPUT   eth0   0     17    0      2    14       -  xx.22.zz.121    INPUT   eth0   0     15    0      2    12       -  xx.22.zz.121    INPUT   eth0   0     21    0      2    16       -  xx.22.zz.121    INPUT   eth0   12    0     0      2    6        Windows XP/2000
    211.90.xx.14    xx.22.zz.121    INPUT   eth0   1     0     0      2    2        -   xx.22.zz.121    INPUT   eth0   0     0     1      2    2        - xx.22.zz.121    INPUT   eth0   0     35    0      2    31       -  xx.22.zz.121    INPUT   eth0   0     33    0      2    21       -  xx.22.zz.121    INPUT   eth0   0     33    0      2    27       -  xx.22.zz.121    INPUT   eth0   0     39    0      2    26       -  xx.22.zz.121    INPUT   eth0   0     33    0      2    19       -  xx.22.zz.121    INPUT   eth0   0     40    0      2    33       -  xx.22.zz.121    INPUT   eth0   0     14    0      1    11       -  xx.22.zz.121    INPUT   eth0   0     18    0      2    15       -

    Netfilter prefix counters:
        "SPAM DROP Block": 161519
        "Drop Syn Attacks": 136

    Total scan sources: 95
    Total scan destinations: 1

    Total packet counters:
        tcp:  5868
        udp:  164012
        icmp: 2

How do I remove automatically blocked ips?

Simply type the following command to remove any auto-generated firewall block
# psad -F

How do I view detailed log for each IP address?

Go to /var/log/psad/ip.address/ directory. For example, view log for IP address, enter:
# cd /var/log/psad/
# ls -l

Sample output:

-rw------- 1 root root 2623 2008-07-30 13:02 xx.22.zz.121_email_alert
-rw------- 1 root root   32 2008-07-30 13:02 xx.22.zz.121_packet_ctr
-rw------- 1 root root    0 2008-07-29 00:27 xx.22.zz.121_signatures
-rw------- 1 root root   11 2008-07-30 13:02 xx.22.zz.121_start_time
-rw------- 1 root root    2 2008-07-30 13:02 danger_level
-rw------- 1 root root    2 2008-07-30 13:02 email_count
-rw------- 1 root root 1798 2008-07-29 00:27 whois

Use cat / more or less command to view rest of the information.

Further readings:

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 34 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
34 comments… add one
  • Diya Aug 6, 2008 @ 14:28

    I was not aware of psad. Thanks for writing out tutorial.

  • tachiiNiiJinx Aug 7, 2008 @ 19:35

    I append the following code ( |/var/lib/psad/psadfifo) to /etc/syslog.conf. Which will save just fine, but I enter the following at the command line with or without sudo, echo -e ’\t|/var/lib/psad/psadfifo’ >> /etc/syslog.conf. I am getting am Permission Denied error. Do I need to use chmod to set the permission’s to the User, Group, or Other?

  • John Allen Aug 13, 2008 @ 8:17

    You must be the real root user for the >> to work.

    When using sudo you will execute the echo command as root, but the >> redirect is executed as the current user.

    • somename Nov 9, 2011 @ 5:57

      that’s what `sudo su` is for :p

      • S0AndS0 Jun 16, 2015 @ 23:23

        I prefer using sudo tee with option ‘-a’ to append to files, it uses pipes ‘|’ instead of redirects ‘>’ or ‘>>’ and has an added bonus of displaying what was written.
        echo “text to add” | sudo tee -a /file/path/file.ext
        echo “text to fill” | sudo tee /file/path/new_file.ext
        ~ To keep variables from being expanded premeturly replace double quotes with single
        echo ‘text to add’ | sudo tee -a /file/path/file.ext
        echo ‘text to fill’ | sudo tee /file/path/new_file.ext
        ~ to be safe always use -a to append with tee; it’s kinda like the differance between ‘>’ and ‘>>’ one will over-write and the other will add.

  • Noah Aug 18, 2008 @ 19:45

    PSAD has been only an annoyance to me as an administrator. Often I use nmap to do perfectly legitimate scans of a clients machine for debugging purposes. I setup tools for automating data feeds between my servers and client servers. Data feeds can go over HTTP, SSH, various direct database sockets, FTP, etc. Often there are firewalls in the way or a client might not have a required service active and running or they might have configured a service on a non-standard port. I’m sure there are lots of other reasons that I can’t even remember now.

    Clients that use PSAD hinder debugging. All of my servers are under constant automated attack by bots. This is simply the nature of the internet. None of these bots do port scanning. Some of them do scan a range of IP addresses looking for specific ports with running services, so I can see the value of a system could be to detect when someone may be scanning a range of IP address. But systems that detect port scans on an individual IP address seem overkill.

  • Ryan Jan 6, 2009 @ 7:09

    Nice howto. Thank you.

  • Asaduzzaman Shuvo Feb 18, 2009 @ 7:59

    How to observe deny web site Ip address or port in Linux Redhat squid server?

  • Linuxnoob Mar 31, 2009 @ 16:07

    Anyone know if I could some how run this in the firmware DD-WRT. Like in a SSH session? or can I just save thos IPtables to the firewall.

  • Munch Jun 23, 2009 @ 12:41

    What version of psad should I use for centOS?
    Is installation procedure of psad for centOS same as above?

  • glas Oct 22, 2009 @ 20:18

    apt-get install Thank you very much.
    Nice tutorial.

  • bonkhi Nov 3, 2009 @ 10:15

    Had no ideal of psad……………….. thanks

  • cybernet Nov 16, 2009 @ 10:28

    what i do with this ?

    echo “Starting IPv4 Wall…”
    $IPT -F
    $IPT -X
    $IPT -t nat -F
    $IPT -t nat -X
    $IPT -t mangle -F
    $IPT -t mangle -X
    modprobe ip_conntrack

  • deni Dec 8, 2009 @ 14:05

    any commands how to detect the ddos from where attacking my servers pls.?

  • tunmsk Dec 22, 2009 @ 17:17

    do psad can be configured with rsyslog on a debian lenny?

  • Vlado Mar 24, 2010 @ 18:04

    One thing to have in mind is the huge hdd space required for psad. My /var/log/ grew up with around 1Gb for like 20mins!

    • Istvan C Mar 27, 2015 @ 13:21

      Use logrotate to shrink your logs

  • emcgfx Jun 16, 2010 @ 10:25

    This option bellow:
    BADIPS=$(egrep -v -E “^#|^$” /home/tux/blocked.fw)

    Needs to be this in Ubuntu 10.04:
    BADIPS=$(egrep -v -e “^#|^$” /home/tux/blocked.fw)

    NOTES: Simply use lower case “e” instead of capital one ;-)

    Works like a charm, thanks CyberCiti Authors.

  • rokin Jun 22, 2010 @ 20:58

    Hello all, thank for the tuto.

    But psad “don’t work” with Debian Lenny and rsyslog (default) :(
    cf :
    I have test modifications, after, psad launch good but the psadfifo are empty and no detections :(

    sorry for my bad english.
    can you have a solution or a similar software ?

    thank you very much !

  • cviniciusm Sep 3, 2010 @ 14:41

    PSAD is broken on the Ubuntu 10.04 (Lucid Lynx) and on the new beta 10.10 (Maverick).

    And nice job.


    • skullboxx Sep 21, 2010 @ 13:19

      Can’t confirm that, PSAD is working fine on my Ubuntu 10.04.1 LTS Box.


  • sniper Dec 10, 2010 @ 7:56

    Hi all
    How could I whitliste IPs? PSAD is everytime blocking my resolver in my network and the lo interface… :-(


  • sniper Dec 10, 2010 @ 19:31

    Hi All
    On Ubuntu Server 10.10 it works fine.
    On Debian Lenny psad does not work. The counters be ever 0.
    What could I do on the Debian Lenny Server, to become psad to work?

  • Gargonzo Bastardo van Rothschildt Jan 30, 2011 @ 0:50

    This is a stupid configuration, because it will write Gigabytes of Data in your log directory – you will literally DOS yourself. Are you using this in real life anywhere? I assume, that you are not a sysadmin anymore then?
    PSAD documentation explains that you should redirect the iptables info into the fifo file – and if your harddisk is filled up with iptables logs you will understand why.

  • Raul Mar 12, 2011 @ 7:53

    sniper psad on Debian Lenny works well.If your not, that’s your mistake.You have to pay attention to configure psad.conf file.
    Best regards,

  • cviniciusm Mar 12, 2011 @ 12:55


    There is a bug on the 10.04 package, I filed a bug on Ubuntu Launchpad.

    The original psad there is not the bug.

    I solved the bug disabling the line that sends e-mail to .


  • Prakash May 13, 2011 @ 4:13


    Please let me know the steps for installation of above for centos.

    Awaiting for your reply.


  • Alex Oct 9, 2011 @ 8:26

    Thank you!
    It works perfect!

  • Yonatan Ryabinski Nov 15, 2011 @ 4:58

    Thank you very much!

  • fix Jan 3, 2012 @ 20:07

    what kind of an asshole would want to block outgoing nmap scans???

  • joshlinx Jan 14, 2012 @ 19:31

    Note the authors other software as well excellent security software. fwsnort to use snort rules with firewall and fwknop for single packet authentication for port access. I have also bought the book and recommend reading it, very useful security software.

  • sanchit Jan 19, 2013 @ 19:56

    Can you post a psad tutorial for centos?

  • Silvio Mar 4, 2014 @ 20:58

    Thanks for howto, on Gentoo run perfect. Only one problem is, the logfile will be full is there a way to limited?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum