Provided by: portsentry_1.2-14build1_amd64 bug


       portsentry.conf - portsentry´s main configuration file


       This manual page documents briefly the format of portsentry´s(8) configuration file.


              A comma delimited string of TCP ports you want PortSentry to listen to. This string
              can NOT have any spaces in it. You  can  put  in  as  many  sockets  as  you  want.
              PortSentry will try to bind them all up until the default limit of 64.

              For  the  stealth  scan detection modes, the ports are not "bound" per se, but they
              are monitored at the socket level for connections.

              For the Advanced Stealth Scan Detection (see below) this list is *ignored*

              The same as above, except for UDP ports. You need to be very careful with UDP  mode
              as  an  attacker can forge a port sweep and make you block any number of hosts. Use
              this option with caution, or not at all if  your  host  is  a  well-known  Internet
              connected system.

              For the Advanced Stealth Scan Detection (see below) this list is *ignored*

              A  number indicating the highest port number to monitor down from. Any port *below*
              this number is then monitored. The default is 1024 (reserved port range),  but  can
              be  made as large as 65535 (system max). It's recommended going over 1024 with this

              Same as above, except for UDP.

              A comma delimited string of  TCP  ports  that  should  be  manually  excluded  from
              monitoring  in  Advanced mode. These are normally ports that may get hit by mistake
              by remote clients and shouldn't cause alarms (ident, SSL, etc).

              Same as above, except for UDP.

              The path to the file that contains IP addresses of hosts  you  want  to  always  be

              The path to the file that contains the IP addresses of blocked hosts.

       RESOLVE_HOST - This option turns off DNS resolution for
              hosts.  If  you  have  a  slow  DNS  server  it  may  be more effective to turn off

              This option disables all automatic responses to UDP probes.   Because  UDP  can  be
              easily forged, it may allow an attacker to start a denial of service attack against
              the protected host, causing it to block all manner of hosts that should normally be
              left  alone.  Setting  this  option to "0" will disable all responses, although the
              connects are still logged.  This option  is  mainly  useful  for  Internet  exposed
              hosts.  For  internal hosts you should leave this enabled. If someone internally is
              firing spoofed packets at you, then you have a much bigger problem than a denial of

              Same  as  above, but for TCP. Packet forgery is not as big a problem though because
              PortSentry waits for a full connect to occur and this is much harder  to  forge  in
              the basic modes. Leave this enabled, even for Internet connected hosts. For stealth
              scan detection modes the UDP warning applies:

                   An attacker can cause you to block hosts you don't want to      through packet
              forgery.  I wouldn't worry about this until it is a      problem, but you should be
              aware of it.

              This is the command to run to drop the offending route(see route(8)) if  an  attack
              is  detected. This is the *full path* to the route command along with the necessary
              parameters to make the command work. The macro $TARGET$ will  be  substituted  with
              the  attacking  host  IP  and  is REQUIRED in this option. Your gateway should be a
              *dead host* on the local subnet. On some systems though you can  just  put  in  the
              localhost  address  (  and  this will probably work. All packets from the
              target host will get routed to this address so don't mess  this  up.   More  modern
              route  commands  will  include a "-blackhole" or "-reject" flag.  Check your man(1)
              pages and if your route command supports this feature you should use  it  (although
              it's recommend using packet filtering instead, see below).

              Also  be  aware  that  this  creates what is known as an "asynchronous route" which
              basically means packets enter your host via one route and are sent out  on  another
              (dead)  route. This works OK for full TCP connect requests, but for UDP and stealth
              scan modes it still allows packets to activate PortSentry and you may get a  series
              of  "already blocked" alarms by PortSentry. For UDP scans this method prevents ICMP
              messages from returning to the attacker so all ports appear open. However,  if  the
              attacker  is  performing  an actual exploit with UDP the drop route method will not
              work.  The asynchronous route allows the packet to hit the system and the  attacker
              could  perform  a "blind" attack with UDP if they know what the responses are going
              to be.

              By far the best  method  is  to  use  the  local  packet  filter  (see  ipfwadm(8),
              ipchains(8),  or  iptables(8)).  This is a much cleaner solution and is detailed in
              the config file. The macro $PORT$ will substitute the port that was connected to by
              the  attacker,  but  this is NOT required for this option. The macro $MODE$ reports
              what mode the blocking occurred in (tcp, udp, stcp, sudp, atcp, audp) but  is  also
              NOT required.

              This is the format of the string to drop into the hosts.deny file that TCP wrappers
              uses(see hosts_access(5), and  hosts_options(5)).   Again  the  $TARGET$  macro  is
              expanded out to be the IP of the attacker and is required. You can also drop in any
              TCP wrapper escape codes here as well (%h,  twist,  etc).  The  macro  $PORT$  will
              substitute the port that was connected to by the attacker, but this is NOT required
              for this option.  The macro $MODE$ reports what mode the blocking occurred in (tcp,
              udp, stcp, sudp, atcp, audp) but is also NOT required.

              This  is  a command you want run *before* the route is dropped to the attacker. You
              can put in any program/script you want executed when  an  attack  is  detected.  WE
              every time you're are port scanned the host doing the scanning has been compromised
              itself.   Therefore,  if  you  retaliate  you are probably attacking an innocent(?)
              party. Also the goal of security is to make the person GO AWAY. You don't  want  to
              irritate  them  into  making  a personal vendetta against you.  Remember, even a 13
              year old can run a [insert favorite D.O.S. program here] attack  against  you  from
              their  Windows  box to make your life miserable. As above, the $TARGET$, $PORT$ and
              $MODE$ macros are available to you but they are not required with  this  option  as

              Setting  this  to  "1"  makes  the  command  above run before the route is dropped.
              Setting it to "0" makes the command run aftter the blocking has occurred.

              PortSentry has a state engine that  will  remember  hosts  that  connected  to  it.
              Setting this value will tell PortSentry to allow X number of grace port hits before
              it reacts. This will detect both sequential and random port sweeps. The default  is
              0  which  will  react  immediately.  A  setting of 1 or 2 will reduce false alarms,
              anything higher is probably too much as anything more  than  3  hits  to  different
              ports  is  pretty  suspicious behavior. Usually you can leave this at 0 without any
              consequence, with the exception of Advanced stealth scan detection modes where  you
              may create a "hair trigger" if you aren't careful. Use your own discretion.

              A  text  banner  you  want  displayed  to  the connecting host if the PortSentry is
              activated. Leave this commented out if you don't want this feature. If you  do  use
              it, try not to taunt the person too badly. It's recommended keeping it professional
              and to the point. The banner is *not* displayed when stealth scan  detection  modes
              are used.


       portsentry(8), hosts_access(5), hosts_options(5), route(8), ipfwadm(8), ipchains(8)



       portsentry was written by Craig H. Howland <>.

       This  manual  page  is essentially just a "cut and paste" from the README.install file and
       was done by Guido Guenther <>(hopefully without adding too many errors), for
       the Debian GNU/Linux system (but may be used by others).