portsentry(8) detect portscan activity


portsentry [ -tcp | -stcp | -atcp ]
portsentry [ -udp | -sudp | -audp ]


This manual page documents briefly the portsentry command. This manual page was written for the Debian GNU/Linux distribution because the original program does not have a manual page.

portsentry is a program that tries to detect portscans on network interfaces with the ability to detect stealth scans. On alarm portsentry can block the scanning machine via hosts.deny (see hosts_access(5), firewall rule (see ipfwadm(8), ipchains(8) and iptables(8)) or dropped route (see route(8)).


For details on the various modes see /usr/share/doc/portsentry/README.install
tcp portscan detection on ports specified under TCP_PORTS in the config file /etc/portsentry/portsentry.conf.
As above but additionally detect stealth scans.
Advanced tcp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_TCP given in the config file /etc/portsentry/portsentry.conf.

udp portscan detection on ports specified under UDP_PORTS in the config file /etc/portsentry/portsentry.conf.
As above but additionally detect "stealth" scans.
Advanced udp or inverse mode. Portsentry binds to all unused ports below ADVANCED_PORTS_UDP given in the config file /etc/portsentry/portsentry.conf.


portsentry keeps all its configuration files in /etc/portsentry. portsentry.conf is portsentry's main configuration file. See portsentry.conf(5) for details.

The file portsentry.ignore contains a list of all hosts that are ignored, if they connect to a tripwired port. It should contain at least the localhost(, and the IP addresses of all local interfaces. You can ignore whole subnets by using a notation <IP Address>/<Netmask Bits>. It is *not* recommend putting in every machine IP on your network. It may be important for you to see who is connecting to you, even if it is a "friendly" machine. This can help you detect internal host compromises faster.

If you use the /etc/init.d/portsentry script to start the daemon, portsentry.ignore is rebuild on each start of the daemon using portsentry.ignore.static and all the IP addresses found on the machine via ifconfig.

/etc/default/portsentry specifies in which protocol modes portsentry should be startet from /etc/init.d/portsentry There are currently two options:

either tcp, stcp or atcp (see OPTIONS above).
either udp, sudp or audp (see OPTIONS above).

The options above correspond to portsentry's commandline arguments. For example TCP_MODE=atcp has the same effect as to start portsentry using portsentry -atcp. Only one mode per protocol can be started at a time (i.e. one tcp and one udp mode).


/etc/portsentry/portsentry.conf main configuration file
IP addresses to ignore
static IP addresses to ignore
startup options
script responsible for starting and stopping the daemon
blocked hosts(cleared upon reload)
history file


portsentry was written by Craig H. Howland <[email protected]>.

This manual page was stitched together by Guido Guenther <[email protected]>, for the Debian GNU/Linux system (but may be used by others). Some parts are just a cut and paste from the original documentation.