You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
152 lines
4.1 KiB
152 lines
4.1 KiB
.TH PORTSENTRY 8
|
|
.\" NAME should be all caps, SECTION should be 1-8, maybe w/ subsection
|
|
.\" other parms are allowed: see man(7), man(1)
|
|
.SH NAME
|
|
portsentry \- detect portscan activity
|
|
.SH SYNOPSIS
|
|
.B portsentry
|
|
.I "[ \-tcp | \-stcp | \-atcp ]"
|
|
.br
|
|
.B portsentry
|
|
.I "[ \-udp | \-sudp | \-audp ]"
|
|
.SH "DESCRIPTION"
|
|
This manual page documents briefly the
|
|
.BR portsentry
|
|
command.
|
|
This manual page was written for the Debian GNU/Linux distribution
|
|
because the original program does not have a manual page.
|
|
.PP
|
|
.B portsentry
|
|
is a program that tries to detect portscans on network interfaces with the ability to detect stealth scans. On alarm portsentry can block the scanning machine via hosts.deny (see
|
|
.BR hosts_access (5),
|
|
firewall rule (see
|
|
.BR ipfwadm (8) ,
|
|
.BR ipchains (8)
|
|
and
|
|
.BR iptables (8))
|
|
or dropped route (see
|
|
.BR route (8)).
|
|
.SH OPTIONS
|
|
For details on the various modes see
|
|
.I /usr/doc/portsentry/README.install
|
|
.
|
|
.TP
|
|
.B \-tcp
|
|
tcp portscan detection on ports specified under
|
|
.I TCP_PORTS
|
|
in the config file
|
|
.IR /etc/portsentry/portsentry.conf .
|
|
.TP
|
|
.B \-stcp
|
|
As above but additionally detect stealth scans.
|
|
.TP
|
|
.B \-atcp
|
|
Advanced tcp or inverse mode. Portsentry binds to all unused ports below
|
|
.I ADVANCED_PORTS_TCP
|
|
given in the config file
|
|
.IR /etc/portsentry/portsentry.conf .
|
|
|
|
.TP
|
|
.B \-udp
|
|
udp portscan detection on ports specified under
|
|
.I UDP_PORTS
|
|
in the config file
|
|
.IR /etc/portsentry/portsentry.conf .
|
|
.TP
|
|
.B \-sudp
|
|
As above but additionally detect "stealth" scans.
|
|
.TP
|
|
.B \-audp
|
|
Advanced udp or inverse mode. Portsentry binds to all unused ports below
|
|
.I ADVANCED_PORTS_UDP
|
|
given in the config file
|
|
.IR /etc/portsentry/portsentry.conf .
|
|
|
|
.SH "CONFIGURATION FILES"
|
|
.B portsentry
|
|
keeps all its configuration files in
|
|
.BR /etc/portsentry.
|
|
.B portsentry.conf
|
|
is
|
|
.BR portsentry 's
|
|
main configuration file. See
|
|
.BR portsentry.conf (5)
|
|
for details.
|
|
|
|
The file
|
|
.BR portsentry.ignore
|
|
contains a list of all hosts that are ignored, if they connect to a tripwired
|
|
port. It should contain at least the localhost(127.0.0.1), 0.0.0.0 and the IP addresses of all local interfaces. You can ignore whole subnets by using a notation <IP Address>/<Netmask Bits>. It is *not* recommend putting in every machine IP on your network. It may be important for you to see who is connecting to you, even if it is a "friendly" machine. This can help you detect internal host compromises faster.
|
|
|
|
If you use the
|
|
.IR /etc/init.d/portsentry
|
|
script to start the daemon,
|
|
.BR portsentry.ignore
|
|
is rebuild on each start of the daemon using
|
|
.BR portsentry.ignore.static
|
|
and all the IP addresses found on the machine via
|
|
.BR ifconfig .
|
|
|
|
.BR /etc/default/portsenty
|
|
specifies in which protocol modes
|
|
.B portsentry
|
|
should be startet from
|
|
.IR /etc/init.d/portsentry
|
|
There are currently two options:
|
|
.TP
|
|
.B TCP_MODE=
|
|
either
|
|
.BR tcp ", " stcp " or " atcp " (see " OPTIONS " above)."
|
|
.TP
|
|
.B UDP_MODE=
|
|
either
|
|
.BR udp ", " sudp " or " audp " (see " OPTIONS " above)."
|
|
|
|
.PP
|
|
The options above correspond to portsentry's commandline arguments. For example
|
|
.B TCP_MODE="atcp"
|
|
has the same effect as to start portsentry using
|
|
.BR portsentry " " -atcp.
|
|
Only one mode per protocol can be started at a time (i.e. one tcp and one udp mode).
|
|
|
|
.SH "FILES"
|
|
.BR /etc/portsentry/portsentry.conf
|
|
main configuration file
|
|
.TP
|
|
.BR /etc/portsentry/portsentry.ignore
|
|
IP addresses to ignore
|
|
.TP
|
|
.BR /etc/portsentry/portsentry.ignore.static
|
|
static IP addresses to ignore
|
|
.TP
|
|
.BR /etc/default/portsentry
|
|
startup options
|
|
.TP
|
|
.BR /etc/init.d/portsentry
|
|
script responsible for starting and stopping the daemon
|
|
.TP
|
|
.BR /var/lib/portsentry/portsentry.blocked.*
|
|
blocked hosts(cleared upon reload)
|
|
.TP
|
|
.BR /var/lib/portsentry/portsentry.history
|
|
history file
|
|
.LP
|
|
.SH "SEE ALSO"
|
|
.BR portsentry.conf(5),
|
|
.BR hosts_access(5),
|
|
.BR hosts_options(5),
|
|
.BR route(8),
|
|
.BR ipfwadm(8),
|
|
.BR ipchains(8),
|
|
.BR iptables(8),
|
|
.BR ifconfig(8)
|
|
|
|
.BR /usr/share/doc/portsentry/README.install
|
|
.LP
|
|
.SH AUTHOR
|
|
.B portsentry
|
|
was written by Craig H. Howland
|
|
.B <crowland@users.sf.net>.
|
|
|
|
This manual page was stitched together by Guido Guenther <agx@debian.org>, for the Debian GNU/Linux system (but may be used by others). Some parts are just a cut and paste from the original documentation.
|