Install Now
portsentry - detect portscan activity
Contents
Configuration Files
portsentry keeps all its configuration files in /etc/portsentry.portsentry.conf is portsentry's main
configuration file. See portsentry.conf(5) for details.
The file portsentry.ignore contains a list of all hosts that are ignored, if they connect to a tripwired
port. It should contain at least the localhost(127.0.0.1), 0.0.0.0 and the IP addresses of all local
interfaces. You can ignore whole subnets by using a notation <IP Address>/<Netmask Bits>. It is *not*
recommend putting in every machine IP on your network. It may be important for you to see who is
connecting to you, even if it is a "friendly" machine. This can help you detect internal host compromises
faster.
If you use the /etc/init.d/portsentry script to start the daemon, portsentry.ignore is rebuild on each
start of the daemon using portsentry.ignore.static and all the IP addresses found on the machine via
ifconfig.
/etc/default/portsentry specifies in which protocol modes portsentry should be startet from
/etc/init.d/portsentry There are currently two options:
TCP_MODE=
either tcp, stcp or atcp (see OPTIONS above).
UDP_MODE=
either udp, sudp or audp (see OPTIONS above).
The options above correspond to portsentry's commandline arguments. For example TCP_MODE="atcp" has the
same effect as to start portsentry using portsentry-atcp. Only one mode per protocol can be started at
a time (i.e. one tcp and one udp mode).
Description
This manual page documents briefly the portsentry command. This manual page was written for the Debian
GNU/Linux distribution because the original program does not have a manual page.
portsentry is a program that tries to detect portscans on network interfaces with the ability to detect
stealth scans. On alarm portsentry can block the scanning machine via hosts.deny (see hosts_access(5),
firewall rule (see ipfwadm(8),ipchains(8) and iptables(8)) or dropped route (see route(8)).
Files
/etc/portsentry/portsentry.conf main configuration file
/etc/portsentry/portsentry.ignore
IP addresses to ignore
/etc/portsentry/portsentry.ignore.static
static IP addresses to ignore
/etc/default/portsentry
startup options
/etc/init.d/portsentry
script responsible for starting and stopping the daemon
/var/lib/portsentry/portsentry.blocked.*
blocked hosts(cleared upon reload)
/var/lib/portsentry/portsentry.history
history file
Name
portsentry - detect portscan activity
Options
For details on the various modes see /usr/share/doc/portsentry/README.install-tcp tcp portscan detection on ports specified under TCP_PORTS in the config file
/etc/portsentry/portsentry.conf.
-stcp As above but additionally detect stealth scans.
-atcp Advanced tcp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_TCP given
in the config file /etc/portsentry/portsentry.conf.
-udp udp portscan detection on ports specified under UDP_PORTS in the config file
/etc/portsentry/portsentry.conf.
-sudp As above but additionally detect "stealth" scans.
-audp Advanced udp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_UDP given
in the config file /etc/portsentry/portsentry.conf.
See Also
portsentry.conf(5),hosts_access(5),hosts_options(5),route(8),ipfwadm(8),ipchains(8),iptables(8),ifconfig(8)/usr/share/doc/portsentry/README.install
Synopsis
portsentry[-tcp|-stcp|-atcp]portsentry[-udp|-sudp|-audp]
PNG Icons
Emojis