Well, we have this gentoo guide for portsentry: This seem a bit dated.
I'd be curious for any information folks use including config file snippets
or deployment strategies, particularly in a multi-layered scheme. There is
only basic configuration/deployment ideas in /usr/share/doc/portsentry/.
Something newer/better than portsentry to watch
I'm building up a small soho with 5 static ips, including (2) dns servers,
mail and a small (less than 10 domains) webserver all in a "dmz' and the
then a few dozen systems behind a second firewall. Certainly the minimal
ports to leave open (via iptables on each of these servers systems) as
well as the specific list of which ports to set portsentry to monitor by
category (DNS(bind) :: Web(apache) :: mail(postfix)) would be keen.
Should I put the port scanning on the the systems behind the published
(routed) ip address too just to see what (if anythying) get thru? Nothing
but return traffic should get through to the lan (no ssh into lan systems
or such will be allowed).
Reference diagrams of typical soho (< 50 systems) are of keen interest
just to get some ideas. In fact suggestions on FOSS to use to draw up some
generic diagrams, a wee bit nicer than dia, would be keen suggestions too.
Tripwire vs AIDE?
Perhaps a iptables protecting the dmz systems and main gateway (single
homed) but a nftables  based firewall/gw/router to the internal lan?
Note: This is more of a project than a collection of simple (syntax) answers
to specific questions (although all information is appreciated just to
complete the discussion). Any sensitive information can be send to me
privately for assured confidence.
Your ideas are welcome,