portsentry - detect portscan activity
portsentry [ -tcp | -stcp | -atcp ]
portsentry [ -udp | -sudp | -audp ]
This manual page documents briefly the portsentry
command. This manual
page was written for the Debian GNU/Linux distribution because the original
program does not have a manual page.
is a program that tries to detect portscans on network
interfaces with the ability to detect stealth scans. On alarm portsentry can
block the scanning machine via hosts.deny (see hosts_access
firewall rule (see ipfwadm
(8)) or dropped route (see route
For details on the various modes see
- tcp portscan detection on ports specified under
TCP_PORTS in the config file
- As above but additionally detect stealth scans.
- Advanced tcp or inverse mode. Portsentry binds to all
unused ports below ADVANCED_PORTS_TCP given in the config file
- udp portscan detection on ports specified under
UDP_PORTS in the config file
- As above but additionally detect "stealth"
- Advanced udp or inverse mode. Portsentry binds to all
unused ports below ADVANCED_PORTS_UDP given in the config file
keeps all its configuration files in /etc/portsentry.
's main configuration file. See
(5) for details.
The file portsentry.ignore
contains a list of all hosts that are ignored,
if they connect to a tripwired port. It should contain at least the
localhost(127.0.0.1), 0.0.0.0 and the IP addresses of all local interfaces.
You can ignore whole subnets by using a notation <IP
Address>/<Netmask Bits>. It is *not* recommend putting in every
machine IP on your network. It may be important for you to see who is
connecting to you, even if it is a "friendly" machine. This can help
you detect internal host compromises faster.
If you use the /etc/init.d/portsentry
script to start the daemon,
is rebuild on each start of the daemon using
and all the IP addresses found on the machine
specifies in which protocol modes
should be startet from /etc/init.d/portsentry
are currently two options:
- either tcp, stcp or atcp (see
- either udp, sudp or audp (see
The options above correspond to portsentry's commandline arguments. For example
has the same effect as to start portsentry
using portsentry -atcp.
Only one mode per protocol can be
started at a time (i.e. one tcp and one udp mode).
main configuration file
- IP addresses to ignore
- static IP addresses to ignore
- startup options
- script responsible for starting and stopping the
- blocked hosts(cleared upon reload)
portsentry.conf(5), hosts_access(5), hosts_options(5),
route(8), ipfwadm(8), ipchains(8), iptables(8),
- history file
was written by Craig H. Howland
This manual page was stitched together by Guido Guenther <firstname.lastname@example.org>,
for the Debian GNU/Linux system (but may be used by others). Some parts are
just a cut and paste from the original documentation.