Provided by: portsentry_1.2-14build1_amd64 bug


       portsentry - detect portscan activity


       portsentry [ -tcp | -stcp | -atcp ]
       portsentry [ -udp | -sudp | -audp ]


       This  manual  page documents briefly the portsentry command.  This manual page was written
       for the Debian GNU/Linux distribution because the original program does not have a  manual

       portsentry  is  a  program  that  tries to detect portscans on network interfaces with the
       ability to detect stealth scans. On alarm portsentry can block the  scanning  machine  via
       hosts.deny   (see   hosts_access(5),   firewall  rule  (see  ipfwadm(8),  ipchains(8)  and
       iptables(8)) or dropped route (see route(8)).


       For details on the various modes see /usr/share/doc/portsentry/README.install

       -tcp   tcp portscan detection on ports  specified  under  TCP_PORTS  in  the  config  file

       -stcp  As above but additionally detect stealth scans.

       -atcp  Advanced  tcp  or  inverse  mode.  Portsentry  binds  to  all  unused  ports  below
              ADVANCED_PORTS_TCP given in the config file /etc/portsentry/portsentry.conf.

       -udp   udp portscan detection on ports  specified  under  UDP_PORTS  in  the  config  file

       -sudp  As above but additionally detect "stealth" scans.

       -audp  Advanced  udp  or  inverse  mode.  Portsentry  binds  to  all  unused  ports  below
              ADVANCED_PORTS_UDP given in the config file /etc/portsentry/portsentry.conf.


       portsentry keeps all its  configuration  files  in  /etc/portsentry.   portsentry.conf  is
       portsentry's main configuration file. See portsentry.conf(5) for details.

       The  file portsentry.ignore contains a list of all hosts that are ignored, if they connect
       to a tripwired port. It should contain at least the localhost(, and  the
       IP addresses of all local interfaces. You can ignore whole subnets by using a notation <IP
       Address>/<Netmask Bits>. It is  *not* recommend  putting  in  every  machine  IP  on  your
       network.  It  may  be  important  for you to see who is connecting to you, even if it is a
       "friendly" machine. This can help you detect internal host compromises faster.

       If you use the /etc/init.d/portsentry script to start  the  daemon,  portsentry.ignore  is
       rebuild  on  each  start  of  the  daemon  using  portsentry.ignore.static  and all the IP
       addresses found on the machine via ifconfig.

       /etc/default/portsentry specifies in which protocol modes  portsentry  should  be  startet
       from /etc/init.d/portsentry There are currently two options:

              either tcp, stcp or atcp (see OPTIONS above).

              either udp, sudp or audp (see OPTIONS above).

       The   options   above  correspond  to  portsentry's  commandline  arguments.  For  example
       TCP_MODE="atcp" has the same effect as to start portsentry using portsentry  -atcp.   Only
       one mode per protocol can be started at a time (i.e. one tcp and one udp mode).


       /etc/portsentry/portsentry.conf main configuration file

              IP addresses to ignore

              static IP addresses to ignore

              startup options

              script responsible for starting and stopping the daemon

              blocked hosts(cleared upon reload)

              history file


       portsentry.conf(5),  hosts_access(5), hosts_options(5), route(8), ipfwadm(8), ipchains(8),
       iptables(8), ifconfig(8)



       portsentry was written by Craig H. Howland <>.

       This manual page was stitched together by Guido Guenther <>, for the  Debian
       GNU/Linux system (but may be used by others). Some parts are just a cut and paste from the
       original documentation.