.TH PORTSENTRY 8 .\" NAME should be all caps, SECTION should be 1-8, maybe w/ subsection .\" other parms are allowed: see man(7), man(1) .SH NAME portsentry \- detect portscan activity .SH SYNOPSIS .B portsentry .I "[ \-tcp | \-stcp | \-atcp ]" .br .B portsentry .I "[ \-udp | \-sudp | \-audp ]" .SH "DESCRIPTION" This manual page documents briefly the .BR portsentry command. This manual page was written for the Debian GNU/Linux distribution because the original program does not have a manual page. .PP .B portsentry is a program that tries to detect portscans on network interfaces with the ability to detect stealth scans. On alarm portsentry can block the scanning machine via hosts.deny (see .BR hosts_access (5), firewall rule (see .BR ipfwadm (8) , .BR ipchains (8) and .BR iptables (8)) or dropped route (see .BR route (8)). .SH OPTIONS For details on the various modes see .I /usr/doc/portsentry/README.install . .TP .B \-tcp tcp portscan detection on ports specified under .I TCP_PORTS in the config file .IR /etc/portsentry/portsentry.conf . .TP .B \-stcp As above but additionally detect stealth scans. .TP .B \-atcp Advanced tcp or inverse mode. Portsentry binds to all unused ports below .I ADVANCED_PORTS_TCP given in the config file .IR /etc/portsentry/portsentry.conf . .TP .B \-udp udp portscan detection on ports specified under .I UDP_PORTS in the config file .IR /etc/portsentry/portsentry.conf . .TP .B \-sudp As above but additionally detect "stealth" scans. .TP .B \-audp Advanced udp or inverse mode. Portsentry binds to all unused ports below .I ADVANCED_PORTS_UDP given in the config file .IR /etc/portsentry/portsentry.conf . .SH "CONFIGURATION FILES" .B portsentry keeps all its configuration files in .BR /etc/portsentry. .B portsentry.conf is .BR portsentry 's main configuration file. See .BR portsentry.conf (5) for details. The file .BR portsentry.ignore contains a list of all hosts that are ignored, if they connect to a tripwired port. It should contain at least the localhost(127.0.0.1), 0.0.0.0 and the IP addresses of all local interfaces. You can ignore whole subnets by using a notation /. It is *not* recommend putting in every machine IP on your network. It may be important for you to see who is connecting to you, even if it is a "friendly" machine. This can help you detect internal host compromises faster. If you use the .IR /etc/init.d/portsentry script to start the daemon, .BR portsentry.ignore is rebuild on each start of the daemon using .BR portsentry.ignore.static and all the IP addresses found on the machine via .BR ifconfig . .BR /etc/default/portsenty specifies in which protocol modes .B portsentry should be startet from .IR /etc/init.d/portsentry There are currently two options: .TP .B TCP_MODE= either .BR tcp ", " stcp " or " atcp " (see " OPTIONS " above)." .TP .B UDP_MODE= either .BR udp ", " sudp " or " audp " (see " OPTIONS " above)." .PP The options above correspond to portsentry's commandline arguments. For example .B TCP_MODE="atcp" has the same effect as to start portsentry using .BR portsentry " " -atcp. Only one mode per protocol can be started at a time (i.e. one tcp and one udp mode). .SH "FILES" .BR /etc/portsentry/portsentry.conf main configuration file .TP .BR /etc/portsentry/portsentry.ignore IP addresses to ignore .TP .BR /etc/portsentry/portsentry.ignore.static static IP addresses to ignore .TP .BR /etc/default/portsentry startup options .TP .BR /etc/init.d/portsentry script responsible for starting and stopping the daemon .TP .BR /var/lib/portsentry/portsentry.blocked.* blocked hosts(cleared upon reload) .TP .BR /var/lib/portsentry/portsentry.history history file .LP .SH "SEE ALSO" .BR portsentry.conf(5), .BR hosts_access(5), .BR hosts_options(5), .BR route(8), .BR ipfwadm(8), .BR ipchains(8), .BR iptables(8), .BR ifconfig(8) .BR /usr/share/doc/portsentry/README.install .LP .SH AUTHOR .B portsentry was written by Craig H. Howland .B . This manual page was stitched together by Guido Guenther , for the Debian GNU/Linux system (but may be used by others). Some parts are just a cut and paste from the original documentation.