SYNOPSIS

portsentry [ -tcp | -stcp | -atcp ]

portsentry [ -udp | -sudp | -audp ]

DESCRIPTION

This manual page documents briefly the portsentry command. This manual page was written for the Debian GNU/Linux distribution because the original program does not have a manual page.

portsentry is a program that tries to detect portscans on network interfaces with the ability to detect stealth scans. On alarm portsentry can block the scanning machine via hosts.deny (see hosts_access(5), firewall rule (see ipfwadm(8), ipchains(8) and iptables(8)) or dropped route (see route(8)).

OPTIONS

For details on the various modes see /usr/share/doc/portsentry/README.install

-tcp

tcp portscan detection on ports specified under TCP_PORTS in the config file /etc/portsentry/portsentry.conf.

-stcp

As above but additionally detect stealth scans.

-atcp

Advanced tcp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_TCP given in the config file /etc/portsentry/portsentry.conf.

-udp

udp portscan detection on ports specified under UDP_PORTS in the config file /etc/portsentry/portsentry.conf.

-sudp

As above but additionally detect "stealth" scans.

-audp

Advanced udp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_UDP given in the config file /etc/portsentry/portsentry.conf.

CONFIGURATION FILES

portsentry keeps all its configuration files in /etc/portsentry. portsentry.conf is portsentry's main configuration file. See portsentry.conf(5) for details.

The file portsentry.ignore contains a list of all hosts that are ignored, if they connect to a tripwired port. It should contain at least the localhost(127.0.0.1), 0.0.0.0 and the IP addresses of all local interfaces. You can ignore whole subnets by using a notation <IP Address>/<Netmask Bits>. It is *not* recommend putting in every machine IP on your network. It may be important for you to see who is connecting to you, even if it is a "friendly" machine. This can help you detect internal host compromises faster.

If you use the /etc/init.d/portsentry script to start the daemon, portsentry.ignore is rebuild on each start of the daemon using portsentry.ignore.static and all the IP addresses found on the machine via ifconfig.

/etc/default/portsentry specifies in which protocol modes portsentry should be startet from /etc/init.d/portsentry There are currently two options:

TCP_MODE=

either tcp, stcp or atcp (see OPTIONS above).

UDP_MODE=

either udp, sudp or audp (see OPTIONS above).

The options above correspond to portsentry's commandline arguments. For example TCP_MODE="atcp" has the same effect as to start portsentry using portsentry -atcp. Only one mode per protocol can be started at a time (i.e. one tcp and one udp mode).

FILES

/etc/portsentry/portsentry.conf main configuration file

/etc/portsentry/portsentry.ignore

IP addresses to ignore

/etc/portsentry/portsentry.ignore.static

static IP addresses to ignore

/etc/default/portsentry

startup options

/etc/init.d/portsentry

script responsible for starting and stopping the daemon

/var/lib/portsentry/portsentry.blocked.*

blocked hosts(cleared upon reload)

/var/lib/portsentry/portsentry.history

history file

RELATED TO portsentry…

portsentry.conf(5), hosts_access(5), hosts_options(5), route(8), ipfwadm(8), ipchains(8), iptables(8), ifconfig(8)

/usr/share/doc/portsentry/README.install

AUTHOR

portsentry was written by Craig H. Howland <[email protected]>.

This manual page was stitched together by Guido Guenther <[email protected]>, for the Debian GNU/Linux system (but may be used by others). Some parts are just a cut and paste from the original documentation.