Man Linux: Main Page and Category List


       portsentry.conf - portsentry´s main configuration file


       This  manual  page  documents  briefly  the  format  of portsentry´s(8)
       configuration file.


              A comma delimited string of TCP ports  you  want  PortSentry  to
              listen  to.  This  string can NOT have any spaces in it. You can
              put in as many sockets as you want. PortSentry will try to  bind
              them all up until the default limit of 64.

              For  the stealth scan detection modes, the ports are not "bound"
              per  se,  but  they  are  monitored  at  the  socket  level  for

              For the Advanced Stealth Scan Detection (see below) this list is

              The same as above, except for UDP ports. You  need  to  be  very
              careful  with UDP mode as an attacker can forge a port sweep and
              make you block  any  number  of  hosts.  Use  this  option  with
              caution,  or  not  at  all if your host is a well-known Internet
              connected system.

              For the Advanced Stealth Scan Detection (see below) this list is

              A  number  indicating  the  highest  port number to monitor down
              from. Any port  *below*  this  number  is  then  monitored.  The
              default  is 1024 (reserved port range), but can be made as large
              as 65535 (system max). It’s recommended  going  over  1024  with
              this option.

              Same as above, except for UDP.

              A  comma  delimited  string of TCP ports that should be manually
              excluded from monitoring in Advanced mode.  These  are  normally
              ports  that  may  get  hit  by  mistake  by  remote  clients and
              shouldn’t cause alarms (ident, SSL, etc).

              Same as above, except for UDP.

              The path to the file that contains IP  addresses  of  hosts  you
              want to always be ignored.

              The  path  to the file that contains the IP addresses of blocked

       RESOLVE_HOST - This option turns off DNS resolution for
              hosts. If you have a slow DNS server it may be more effective to
              turn off resolution.

              This  option  disables  all  automatic  responses to UDP probes.
              Because UDP can be easily forged, it may allow  an  attacker  to
              start  a  denial  of  service attack against the protected host,
              causing it to block all manner of hosts that should normally  be
              left  alone.  Setting  this  option  to  "0"  will  disable  all
              responses, although the connects are still logged.  This  option
              is  mainly useful for Internet exposed hosts. For internal hosts
              you should leave this enabled. If someone internally  is  firing
              spoofed packets at you, then you have a much bigger problem than
              a denial of service.

              Same as above, but for TCP. Packet  forgery  is  not  as  big  a
              problem  though  because  PortSentry waits for a full connect to
              occur and this is much harder to forge in the basic modes. Leave
              this  enabled,  even  for  Internet connected hosts. For stealth
              scan detection modes the UDP warning applies:

                   An attacker can cause you to block hosts you don’t want  to
                   through  packet  forgery. I wouldn’t worry about this until
              it is a      problem, but you should be aware of it.

              This is the command to  run  to  drop  the  offending  route(see
              route(8))  if  an attack is detected. This is the *full path* to
              the route command along with the necessary  parameters  to  make
              the  command  work.  The macro $TARGET$ will be substituted with
              the attacking host IP and  is  REQUIRED  in  this  option.  Your
              gateway  should  be  a  *dead host* on the local subnet. On some
              systems though  you  can  just  put  in  the  localhost  address
              (  and  this  will probably work. All packets from the
              target host will get routed to this address so don’t  mess  this
              up.   More  modern route commands will include a "-blackhole" or
              "-reject" flag.  Check your  man(1)  pages  and  if  your  route
              command  supports  this feature you should use it (although it’s
              recommend using packet filtering instead, see below).

              Also  be  aware  that  this  creates  what  is   known   as   an
              "asynchronous  route"  which  basically means packets enter your
              host via one route and are sent out  on  another  (dead)  route.
              This  works  OK  for  full TCP connect requests, but for UDP and
              stealth  scan  modes  it  still  allows  packets   to   activate
              PortSentry  and you may get a series of "already blocked" alarms
              by PortSentry. For UDP scans this method prevents ICMP  messages
              from  returning  to  the  attacker  so  all  ports  appear open.
              However, if the attacker is performing an  actual  exploit  with
              UDP the drop route method will not work.  The asynchronous route
              allows the packet to hit  the  system  and  the  attacker  could
              perform  a  "blind"  attack  with  UDP  if  they  know  what the
              responses are going to be.

              By far the best method is to use the local  packet  filter  (see
              ipfwadm(8),  ipchains(8),  or  iptables(8)).   This  is  a  much
              cleaner solution and is detailed in the config file.  The  macro
              $PORT$  will  substitute  the  port that was connected to by the
              attacker, but this is NOT required for this  option.  The  macro
              $MODE$  reports  what  mode  the blocking occurred in (tcp, udp,
              stcp, sudp, atcp, audp) but is also NOT required.

              This is the format of the string to  drop  into  the  hosts.deny
              file   that   TCP   wrappers   uses(see   hosts_access(5),   and
              hosts_options(5)).  Again the $TARGET$ macro is expanded out  to
              be  the IP of the attacker and is required. You can also drop in
              any TCP wrapper escape codes here as well (%h, twist, etc).  The
              macro  $PORT$  will substitute the port that was connected to by
              the attacker, but this is NOT required  for  this  option.   The
              macro  $MODE$  reports  what mode the blocking occurred in (tcp,
              udp, stcp, sudp, atcp, audp) but is also NOT required.

              This is a command you want run *before* the route is dropped  to
              the  attacker.  You  can  put  in  any  program/script  you want
              executed when an attack is detected. WE NEVER RECOMMEND  PUTTING
              time you’re are port scanned the host  doing  the  scanning  has
              been  compromised  itself.   Therefore, if you retaliate you are
              probably attacking an  innocent(?)   party.  Also  the  goal  of
              security  is  to  make  the  person  GO  AWAY. You don’t want to
              irritate them into  making  a  personal  vendetta  against  you.
              Remember,  even  a 13 year old can run a [insert favorite D.O.S.
              program here] attack against you from their Windows box to  make
              your  life  miserable. As above, the $TARGET$, $PORT$ and $MODE$
              macros are available to you but they are not required with  this
              option as above.

              Setting this to "1" makes the command above run before the route
              is dropped. Setting it to "0" makes the command run  aftter  the
              blocking has occurred.

              PortSentry  has  a  state  engine  that will remember hosts that
              connected to it. Setting this  value  will  tell  PortSentry  to
              allow  X  number  of grace port hits before it reacts. This will
              detect both sequential and random port sweeps. The default is  0
              which  will  react  immediately. A setting of 1 or 2 will reduce
              false alarms, anything higher is probably too much  as  anything
              more  than  3  hits  to  different  ports  is  pretty suspicious
              behavior.  Usually  you  can  leave  this  at  0   without   any
              consequence,   with  the  exception  of  Advanced  stealth  scan
              detection modes where you may create a  "hair  trigger"  if  you
              aren’t careful. Use your own discretion.

              A  text  banner you want displayed to the connecting host if the
              PortSentry is activated. Leave this commented out if  you  don’t
              want this feature. If you do use it, try not to taunt the person
              too badly. It’s recommended keeping it professional and  to  the
              point. The banner is *not* displayed when stealth scan detection
              modes are used.


       portsentry(8), hosts_access(5), hosts_options(5), route(8), ipfwadm(8),



       portsentry was written by Craig H. Howland <>.

       This  manual  page  is  essentially  just  a  "cut  and paste" from the
       README.install    file    and    was    done    by    Guido    Guenther
       <>(hopefully  without  adding  too  many errors), for the
       Debian GNU/Linux system (but may be used by others).