portsentry.conf - Man Page

A comma separated list of TCP ports you want to monitor. You can specify inclusive port ranges with a dash, e.g, 10-20 to include port 10 to 20.

TCP_PORTS=“10,20,30-40”

A comma separated list of UDP ports you want to monitor. You can specify inclusive port ranges with a dash, e.g, 10-20 to include port 10 to 20.

UDP_PORTS=“10,20,30-40”

Path to a file with IP addresses to ignore when logging and taking actions. Any IP/CIDR address in this file will be ignored. This is useful for ignoring local traffic or other trusted hosts.

This file contains all the IP addresses that have triggered the Portsentry detection engine in some way. See the https://github.com/portsentry/portsentry/blob/master/docs/HOWTO-Logfile.md HOWTO-Logfile\c  for more information on how to read this file.

When Portsentry’s action mechanism is used (BLOCK_TCP and/or BLOCK_UDP is set to 1 or 2, see below), this file will contain a list of all hosts that triggers an action. If a host is matched against this file no further action will be taken. Leaving this field as an empty string “” or not setting it will cause the action mechanism to always trigger when a scan is detected.

DNS Name resolution - Setting this to “1” will turn on DNS lookups for attacking hosts. Setting it to “0” (or any other value) will not perform DNS lookups. Default is “0”.

NOTE: Using DNS resolution can slow down the response time of Portsentry

This option controls how Portsentry reacts to a detected connection attempt.

0 = Do not block UDP/TCP scans. The detected connection attempt is only logged. This could be useful for monitoring purposes or use of an external tool, such as fail2ban. This option is the default.

NOTE: It is highly recommended to only log connection attempts (by using: BLOCK_TCP=“0” and BLOCK_UDP=“0”) and use an external tool such as fail2ban to block the attacking host based on the log file generated by Portsentry. The reason for this is that other tools are more sophisticated. For example, fail2ban will persist the blocked host across reboots.

1 = Block UDP/TCP scans. This option will block the attacking host after the scan is detected using the technique specified in the KILL_ROUTE and/or KILL_HOSTS_DENY section below. If KILL_ROUTE is defined, it will run first, followed by KILL_HOSTS_DENY if it is set. If the KILL_RUN_CMD option is set, the command will also be executed.

NOTE: These options are preserved as a legacy option for those who cannot use an external tool to block the attacking host or has some specific use-case, where this method is preferred.

2 = Run external command only (KILL_RUN_CMD). This option will only run the external command specified in the KILL_RUN_CMD

The KILL_ROUTE option is used to drop blacklist the attacking host. This can be done in a number of ways depending on your OS. The string TARGET is replaced with the attacking host.

KILL_ROUTE=“/usr/local/bin/iptables -I INPUT -s TARGET -j DROP”

This text will be dropped into the hosts.deny file for wrappers to use.

KILL_HOSTS_DENY=“ALL: TARGET”

This is a command that can be run when Portsentry is triggered, it can be whatever you want it to be.

The KILL_RUN_CMD_FIRST value should be set to “1” to force the command to run before the KILL_ROUTE/KILL_HOSTS_DENY is executed and should be set to “0” to make the command run after the blocking has occurred.

Enter the number of port connects from the same host you will allow before an alarm is given. The default is 0, which will react immediately.

When Portsentry is used in “connect” mode [Legacy option] you can specify a banner to be displayed to the connecting host. Once the banner is displayed, the connection will be closed.

View the example configuration file https://github.com/portsentry/portsentry/blob/master/examples/portsentry.conf portsentry.conf\c

/etc/portsentry/portsentry.conf

All bugs should be reported via the portsentry github issue tracker https://github.com/portsentry/portsentry/issues

Marcus Hufvudsson mh@protohuf.com\c

portsentry(8)

Portsentry is licensed under the BSD-2-Clause license.