Man Linux: Main Page and Category List


       portsentry - detect portscan activity


       portsentry [ -tcp | -stcp | -atcp ]
       portsentry [ -udp | -sudp | -audp ]


       This manual page documents briefly the portsentry command.  This manual
       page was written for the  Debian  GNU/Linux  distribution  because  the
       original program does not have a manual page.

       portsentry  is  a  program  that  tries  to detect portscans on network
       interfaces  with  the  ability  to  detect  stealth  scans.  On   alarm
       portsentry   can   block  the  scanning  machine  via  hosts.deny  (see
       hosts_access(5),  firewall  rule  (see  ipfwadm(8),   ipchains(8)   and
       iptables(8)) or dropped route (see route(8)).


       For       details       on       the       various       modes      see

       -tcp   tcp portscan detection on ports specified under TCP_PORTS in the
              config file /etc/portsentry/portsentry.conf.

       -stcp  As above but additionally detect stealth scans.

       -atcp  Advanced  tcp  or  inverse  mode. Portsentry binds to all unused
              ports  below  ADVANCED_PORTS_TCP  given  in  the   config   file

       -udp   udp portscan detection on ports specified under UDP_PORTS in the
              config file /etc/portsentry/portsentry.conf.

       -sudp  As above but additionally detect "stealth" scans.

       -audp  Advanced udp or inverse mode. Portsentry  binds  to  all  unused
              ports   below   ADVANCED_PORTS_UDP  given  in  the  config  file


       portsentry  keeps  all  its  configuration  files  in  /etc/portsentry.
       portsentry.conf   is   portsentry’s   main   configuration   file.  See
       portsentry.conf(5) for details.

       The file portsentry.ignore contains  a  list  of  all  hosts  that  are
       ignored,  if  they  connect  to  a tripwired port. It should contain at
       least the localhost(, and the  IP  addresses  of  all
       local  interfaces. You can ignore whole subnets by using a notation <IP
       Address>/<Netmask Bits>.  It  is   *not*  recommend  putting  in  every
       machine  IP  on your network. It may be important for you to see who is
       connecting to you, even if it is a "friendly" machine.  This  can  help
       you detect internal host compromises faster.

       If  you  use  the  /etc/init.d/portsentry  script  to start the daemon,
       portsentry.ignore  is  rebuild  on  each  start  of  the  daemon  using
       portsentry.ignore.static  and all the IP addresses found on the machine
       via ifconfig.

       /etc/default/portsentry specifies in which  protocol  modes  portsentry
       should  be  startet from /etc/init.d/portsentry There are currently two

              either tcp, stcp or atcp (see OPTIONS above).

              either udp, sudp or audp (see OPTIONS above).

       The options above correspond to portsentry’s commandline arguments. For
       example  TCP_MODE="atcp"  has  the  same  effect as to start portsentry
       using portsentry -atcp.  Only one mode per protocol can be started at a
       time (i.e. one tcp and one udp mode).


       /etc/portsentry/portsentry.conf main configuration file

              IP addresses to ignore

              static IP addresses to ignore

              startup options

              script responsible for starting and stopping the daemon

              blocked hosts(cleared upon reload)

              history file


       portsentry.conf(5),    hosts_access(5),   hosts_options(5),   route(8),
       ipfwadm(8), ipchains(8), iptables(8), ifconfig(8)



       portsentry was written by Craig H. Howland <>.

       This  manual   page   was   stitched   together   by   Guido   Guenther
       <>,  for  the Debian GNU/Linux system (but may be used by
       others). Some parts  are  just  a  cut  and  paste  from  the  original