Home » How to Block IP Addresses That Are Scanning Your Server Debian 12
Posted in

How to Block IP Addresses That Are Scanning Your Server Debian 12

by LeXus36910

What is Port Scanning and Why Does it Matter?

In today’s internet landscape, automated bots are constantly crawling the web and scanning IP addresses to find exposed services. These bots often perform port scanning, a technique used to discover open ports and identify which services are running on them — such as web servers, SSH, FTP, or database services.

The goal? Once a bot identifies an active service, it may attempt brute-force attacks, exploit known vulnerabilities, or gather data for future attacks. These scans are not only a threat to your system’s security but also create unnecessary noise in your server logs.

Even if your server is secure, blocking known scanning IPs can reduce the attack surface and system resource usage.

How to Detect Scanning Activity

There are many tools available for monitoring suspicious network activity — from intrusion detection systems like Snort and Suricata, to log-based tools like fail2ban. However, in this guide, we’ll focus on using PSAD (Port Scan Attack Detector), a lightweight and effective tool for detecting and responding to port scanning attempts on Linux systems.

What is PSAD?

PSAD is a daemon that analyzes iptables logs to detect port scans, probes, and other suspicious traffic. Unlike basic tools that only react to failed login attempts, PSAD is specifically designed to detect stealthy scan techniques used by attackers to map your server’s open ports.

Key features:

  • Detects TCP, UDP, and ICMP scans
  • Can distinguish between normal traffic and malicious behavior
  • Supports automatic response by blocking IPs
  • Sends alerts via email
  • Integrates well with existing iptables firewall

Installing and Configuring PSAD

Now that we understand what PSAD is and why it’s useful, let’s go ahead and install and configure it on a Linux system using iptables.

Step 1: Install PSAD

Update your package lists and install PSAD:

root@frhb95653flex:~# sudo apt update
root@frhb95653flex:~# sudo apt install psad

Step 2: Configure iptables Logging for PSAD

PSAD relies on firewall logs to detect scanning activity. We’ll now create a custom iptables logging chain that PSAD can monitor.

Run the following commands to set it up:

# Create a new logging chain
root@frhb95653flex:~# iptables -N PSAD_LOG

# Log packets with a recognizable prefix and include TCP/IP header options
root@frhb95653flex:~# iptables -A PSAD_LOG -j LOG --log-prefix "[PSAD] " --log-tcp-options --log-ip-options

# Accept logged packets so normal traffic is not interrupted
root@frhb95653flex:~# iptables -A PSAD_LOG -j ACCEPT

# Send all TCP SYN packets to the logging chain
root@frhb95653flex:~# iptables -A INPUT -p tcp --syn -j PSAD_LOG

These rules ensure that any connection attempt to your server is logged in a way PSAD understands, without affecting normal network operation.

Step 3: Prepare PSAD Blocking Chains

To allow PSAD to automatically block IPs that it identifies as hostile, you need to create dedicated chains for blocking traffic:

Create PSAD blocking chains

# Create PSAD blocking chains
root@frhb95653flex:~# iptables -N PSAD_BLOCK_INPUT
root@frhb95653flex:~# iptables -N PSAD_BLOCK_OUTPUT
root@frhb95653flex:~# iptables -N PSAD_BLOCK_FORWARD

# Insert these chains into the main firewall paths
root@frhb95653flex:~# iptables -I INPUT -j PSAD_BLOCK_INPUT
root@frhb95653flex:~# iptables -I OUTPUT -j PSAD_BLOCK_OUTPUT
root@frhb95653flex:~# iptables -I FORWARD -j PSAD_BLOCK_FORWARD

These chains will be used by PSAD when it decides to block an IP address. The blocking mechanism is automated and can be fully customized via PSAD’s configuration file (/etc/psad/psad.conf), which we’ll cover in the next section.

Step 4: Testing PSAD and Understanding the Output

Once PSAD is installed and your firewall is properly configured, it’s time to test if everything is working correctly.

You can check PSAD’s current status and recent activity using:

root@frhb95653flex:~# psad -S

This command shows a summary of what PSAD has detected and how it has responded. Here’s how to interpret the output:

Example Output:

[psad status]
IP        danger  Scans  TCP  UDP  ICMP  Flags
192.168.0.105  3      12     10    2     0     [syn, fin]

Explanation of Fields:

  • IP: The source IP address that was detected performing a scan or suspicious activity.
  • Danger: A rating from 0 (low) to 5 (high) indicating how dangerous the activity is.
  • Scans: Number of scan attempts detected.
  • TCP/UDP/ICMP: Number of packets logged per protocol.
  • Flags: TCP flags seen in the scan, such as SYN, FIN, XMAS, NULL — often indicators of stealth scanning techniques.

If you see entries here, it means PSAD is actively analyzing logs and detecting potential threats.

Step 5: Enabling Automatic IP Blocking in PSAD

By default, PSAD is configured in monitoring mode only — it detects scans but does not block any IPs unless you explicitly enable this feature.

To activate automatic blocking, open the PSAD configuration file:

root@frhb95653flex:~# nano /etc/psad/psad.conf

Look for the following settings and modify them accordingly:

Key Parameters:

ENABLE_AUTO_IDS             Y;
AUTO_IDS_DANGER_LEVEL       3;
AUTO_BLOCK_TIMEOUT          3600;

What These Settings Mean:

  • ENABLE_AUTO_IDS
    Set this to Y to enable automatic intrusion detection and active blocking based on scan behavior.
  • AUTO_IDS_DANGER_LEVEL
    This sets the threshold level at which an IP address will be blocked.
    Danger levels range from 1 (low) to 5 (critical).
    Setting it to 3 means any IP with a danger level of 3 or higher (e.g., over ~150 suspicious connection attempts) will be automatically banned.
  • AUTO_BLOCK_TIMEOUT
    This defines how long an IP will remain blocked (in seconds).
    Setting this to 0 means the IP is blocked permanently unless manually removed.

After making these changes, save and close the file ( then Ctrl+X + Y + ENTER).

Apply the Configuration

To make sure the new settings take effect, restart PSAD:

root@frhb95653flex:~# systemctl restart psad

Now, PSAD will automatically ban IP addresses that attempt suspicious scans or probing behavior, and you can monitor the bans using:

root@frhb95653flex:~# psad -S

or by checking the PSAD logs in:

/var/log/psad/

Step 6: Save iptables Rules

Once you’ve configured all the necessary iptables rules for PSAD to monitor and block suspicious IP addresses, it’s important to save them so they persist after a reboot.

Install the persistent package to auto-load on boot:

debian12-vm:~# apt install iptables-persistent

During installation, it will ask you whether to save the current rules. Select Yes.

If you make future changes, save them again with:

debian12-vm:~# netfilter-persistent save

PSAD is now fully configured with active protection, and your firewall rules are persistent across reboots. Your server is ready to block IP scanning with PSAD effectively!

Source: digitalocean.com

Network Tutorials Category: Networking

Post Views: 50

Leave a Reply

Your email address will not be published. Required fields are marked *