1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
.TH PORTSENTRY 8
.\" NAME should be all caps, SECTION should be 1-8, maybe w/ subsection
.\" other parms are allowed: see man(7), man(1)
.SH NAME
portsentry \- detect portscan activity
.SH SYNOPSIS
.B portsentry
.I "[ \-tcp | \-stcp | \-atcp ]"
.br
.B portsentry
.I "[ \-udp | \-sudp | \-audp ]"
.SH "DESCRIPTION"
This manual page documents briefly the
.BR portsentry
command.
This manual page was written for the Debian GNU/Linux distribution
because the original program does not have a manual page.
.PP
.B portsentry
is a program that tries to detect portscans on network interfaces with the ability to detect stealth scans. On alarm portsentry can block the scanning machine via hosts.deny (see
.BR hosts_access (5),
firewall rule (see
.BR ipfwadm (8) ,
.BR ipchains (8)
and
.BR iptables (8))
or dropped route (see
.BR route (8)).
.SH OPTIONS
For details on the various modes see
.I /usr/doc/portsentry/README.install
.
.TP
.B \-tcp
tcp portscan detection on ports specified under
.I TCP_PORTS
in the config file
.IR /etc/portsentry/portsentry.conf .
.TP
.B \-stcp
As above but additionally detect stealth scans.
.TP
.B \-atcp
Advanced tcp or inverse mode. Portsentry binds to all unused ports below
.I ADVANCED_PORTS_TCP
given in the config file
.IR /etc/portsentry/portsentry.conf .
.TP
.B \-udp
udp portscan detection on ports specified under
.I UDP_PORTS
in the config file
.IR /etc/portsentry/portsentry.conf .
.TP
.B \-sudp
As above but additionally detect "stealth" scans.
.TP
.B \-audp
Advanced udp or inverse mode. Portsentry binds to all unused ports below
.I ADVANCED_PORTS_UDP
given in the config file
.IR /etc/portsentry/portsentry.conf .
.SH "CONFIGURATION FILES"
.B portsentry
keeps all its configuration files in
.BR /etc/portsentry.
.B portsentry.conf
is
.BR portsentry 's
main configuration file. See
.BR portsentry.conf (5)
for details.
The file
.BR portsentry.ignore
contains a list of all hosts that are ignored, if they connect to a tripwired
port. It should contain at least the localhost(127.0.0.1), 0.0.0.0 and the IP addresses of all local interfaces. You can ignore whole subnets by using a notation <IP Address>/<Netmask Bits>. It is *not* recommend putting in every machine IP on your network. It may be important for you to see who is connecting to you, even if it is a "friendly" machine. This can help you detect internal host compromises faster.
If you use the
.IR /etc/init.d/portsentry
script to start the daemon,
.BR portsentry.ignore
is rebuild on each start of the daemon using
.BR portsentry.ignore.static
and all the IP addresses found on the machine via
.BR ifconfig .
.BR /etc/default/portsenty
specifies in which protocol modes
.B portsentry
should be startet from
.IR /etc/init.d/portsentry
There are currently two options:
.TP
.B TCP_MODE=
either
.BR tcp ", " stcp " or " atcp " (see " OPTIONS " above)."
.TP
.B UDP_MODE=
either
.BR udp ", " sudp " or " audp " (see " OPTIONS " above)."
.PP
The options above correspond to portsentry's commandline arguments. For example
.B TCP_MODE="atcp"
has the same effect as to start portsentry using
.BR portsentry " " -atcp.
Only one mode per protocol can be started at a time (i.e. one tcp and one udp mode).
.SH "FILES"
.BR /etc/portsentry/portsentry.conf
main configuration file
.TP
.BR /etc/portsentry/portsentry.ignore
IP addresses to ignore
.TP
.BR /etc/portsentry/portsentry.ignore.static
static IP addresses to ignore
.TP
.BR /etc/default/portsentry
startup options
.TP
.BR /etc/init.d/portsentry
script responsible for starting and stopping the daemon
.TP
.BR /var/lib/portsentry/portsentry.blocked.*
blocked hosts(cleared upon reload)
.TP
.BR /var/lib/portsentry/portsentry.history
history file
.LP
.SH "SEE ALSO"
.BR portsentry.conf(5),
.BR hosts_access(5),
.BR hosts_options(5),
.BR route(8),
.BR ipfwadm(8),
.BR ipchains(8),
.BR iptables(8),
.BR ifconfig(8)
.BR /usr/share/doc/portsentry/README.install
.LP
.SH AUTHOR
.B portsentry
was written by Craig H. Howland
.B <crowland@users.sf.net>.
This manual page was stitched together by Guido Guenther <agx@debian.org>, for the Debian GNU/Linux system (but may be used by others). Some parts are just a cut and paste from the original documentation.
|
GitWeb