Man Linux: Main Page and Category List

NAME

       portsentry - detect portscan activity

SYNOPSIS

       portsentry [ -tcp | -stcp | -atcp ]
       portsentry [ -udp | -sudp | -audp ]

DESCRIPTION

       This manual page documents briefly the portsentry command.  This manual
       page was written for the  Debian  GNU/Linux  distribution  because  the
       original program does not have a manual page.

       portsentry  is  a  program  that  tries  to detect portscans on network
       interfaces  with  the  ability  to  detect  stealth  scans.  On   alarm
       portsentry   can   block  the  scanning  machine  via  hosts.deny  (see
       hosts_access(5),  firewall  rule  (see  ipfwadm(8),   ipchains(8)   and
       iptables(8)) or dropped route (see route(8)).

OPTIONS

       For       details       on       the       various       modes      see
       /usr/share/doc/portsentry/README.install

       -tcp   tcp portscan detection on ports specified under TCP_PORTS in the
              config file /etc/portsentry/portsentry.conf.

       -stcp  As above but additionally detect stealth scans.

       -atcp  Advanced  tcp  or  inverse  mode. Portsentry binds to all unused
              ports  below  ADVANCED_PORTS_TCP  given  in  the   config   file
              /etc/portsentry/portsentry.conf.

       -udp   udp portscan detection on ports specified under UDP_PORTS in the
              config file /etc/portsentry/portsentry.conf.

       -sudp  As above but additionally detect "stealth" scans.

       -audp  Advanced udp or inverse mode. Portsentry  binds  to  all  unused
              ports   below   ADVANCED_PORTS_UDP  given  in  the  config  file
              /etc/portsentry/portsentry.conf.

CONFIGURATION FILES

       portsentry  keeps  all  its  configuration  files  in  /etc/portsentry.
       portsentry.conf   is   portsentry’s   main   configuration   file.  See
       portsentry.conf(5) for details.

       The file portsentry.ignore contains  a  list  of  all  hosts  that  are
       ignored,  if  they  connect  to  a tripwired port. It should contain at
       least the localhost(127.0.0.1), 0.0.0.0 and the  IP  addresses  of  all
       local  interfaces. You can ignore whole subnets by using a notation <IP
       Address>/<Netmask Bits>.  It  is   *not*  recommend  putting  in  every
       machine  IP  on your network. It may be important for you to see who is
       connecting to you, even if it is a "friendly" machine.  This  can  help
       you detect internal host compromises faster.

       If  you  use  the  /etc/init.d/portsentry  script  to start the daemon,
       portsentry.ignore  is  rebuild  on  each  start  of  the  daemon  using
       portsentry.ignore.static  and all the IP addresses found on the machine
       via ifconfig.

       /etc/default/portsentry specifies in which  protocol  modes  portsentry
       should  be  startet from /etc/init.d/portsentry There are currently two
       options:

       TCP_MODE=
              either tcp, stcp or atcp (see OPTIONS above).

       UDP_MODE=
              either udp, sudp or audp (see OPTIONS above).

       The options above correspond to portsentry’s commandline arguments. For
       example  TCP_MODE="atcp"  has  the  same  effect as to start portsentry
       using portsentry -atcp.  Only one mode per protocol can be started at a
       time (i.e. one tcp and one udp mode).

FILES

       /etc/portsentry/portsentry.conf main configuration file

       /etc/portsentry/portsentry.ignore
              IP addresses to ignore

       /etc/portsentry/portsentry.ignore.static
              static IP addresses to ignore

       /etc/default/portsentry
              startup options

       /etc/init.d/portsentry
              script responsible for starting and stopping the daemon

       /var/lib/portsentry/portsentry.blocked.*
              blocked hosts(cleared upon reload)

       /var/lib/portsentry/portsentry.history
              history file

SEE ALSO

       portsentry.conf(5),    hosts_access(5),   hosts_options(5),   route(8),
       ipfwadm(8), ipchains(8), iptables(8), ifconfig(8)

       /usr/share/doc/portsentry/README.install

AUTHOR

       portsentry was written by Craig H. Howland <crowland@users.sf.net>.

       This  manual   page   was   stitched   together   by   Guido   Guenther
       <agx@debian.org>,  for  the Debian GNU/Linux system (but may be used by
       others). Some parts  are  just  a  cut  and  paste  from  the  original
       documentation.