1 PortSentry is designed to detect and respond to port scans against a
2 target host in real-time. Some of the more useful features include:
4 + Runs on TCP and UDP sockets to detect port scans against your
5 system. PortSentry is configurable to run on multiple sockets at the
6 same time so you only need to start one copy to cover dozens of
8 + PortSentry will react to a port scan attempt by blocking the host in
9 real-time. This is done through configured options of either dropping
10 the local route back to the attacker, using the Linux ipfwadm/ipchains
11 command, *BSD ipfw command, and/or dropping the attacker host IP into
12 a TCP Wrappers hosts.deny file automatically.
13 + PortSentry has an internal state engine to remember hosts that
14 connected previously. This allows the setting of a trigger value to
15 prevent false alarms and detect "random" port probing.
16 + PortSentry will report all violations to the local or remote syslog
17 daemons indicating the system name, time of attack, attacking host IP
18 and the TCP or UDP port a connection attempt was made to. When used
19 in conjunction with Logcheck it will provide an alert to
20 administrators through e-mail.
21 + Once a scan is detected your system will turn into a blackhole and
22 disappear from the attacker. This feature stops most attacks cold.