PortSentry is a port scan detector that takes an active stance to shut down attacking hosts while notifying administrators and provides an easy configuration and startup. Attacking hosts are denied access to your host by dropping of local routes, dynamic packet filter changes, or adding the host to a TCP wrappers hosts.deny file, all in real-time.

• Runs on TCP and UDP sockets to detect port scans against your system. PortSentry is configurable to run on multiple sockets at the same time so you only need to start one copy to cover dozens of tripwired services.
  
  
• Stealth scan detection (Linux only right now). PortSentry will detect SYN/half-open, FIN, NULL, X-MAS and oddball packet stealth scans. Four stealth scan operation modes are available for you to choose from.
  
  
• PortSentry will react to a port scan attempt by blocking the host in real-time. This is done through configured options of either dropping the local route back to the attacker, using the Linux ipfwadm/ipchains command, *BSD ipfw command, and/or dropping the attacker host IP into a TCP Wrappers hosts.deny file automatically.
  
  
• PortSentry has an internal state engine to remember hosts that connected previously. This allows the setting of a trigger value to prevent false alarms and detect "random" port probing.
  
  
• PortSentry will report all violations to the local or remote syslog daemons indicating the system name, time of attack, attacking host IP and the TCP or UDP port a connection attempt was made to. When used in conjunction with Logcheck it will provide an alert to administrators through e-mail.
  
  
• Once a scan is detected your system will turn into a blackhole and disappear from the attacker. This feature stops most attacks cold.