Annotation of wikisrc/nsps/portsentry.conf, revision 1.1

1.1     ! jdf         1: # PortSentry Configuration
        !             2: #
        !             3: # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
        !             4: # 
        !             5: # The default ports will catch a large number of common probes
        !             6: #
        !             7: # All entries must be in quotes.
        !             8: 
        !             9: 
        !            10: #######################
        !            11: # Port Configurations #
        !            12: #######################
        !            13: #
        !            14: #
        !            15: # Some example port configs for classic and basic Stealth modes
        !            16: #
        !            17: # I like to always keep some ports at the "low" end of the spectrum.
        !            18: # This will detect a sequential port sweep really quickly and usually
        !            19: # these ports are not in use (i.e. tcpmux port 1)
        !            20: #
        !            21: # ** X-Windows Users **: If you are running X on your box, you need to be sure
        !            22: # you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users). 
        !            23: # Doing so will prevent the X-client from starting properly. 
        !            24: #
        !            25: # These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
        !            26: #
        !            27: 
        !            28: # Un-comment these if you are really anal:
        !            29: TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
        !            30: #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,32770,32771,32772,32773,32774,31337,54321"
        !            31: #
        !            32: # Use these if you just want to be aware:
        !            33: #TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
        !            34: UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
        !            35: #
        !            36: # Use these for just bare-bones
        !            37: #TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
        !            38: #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
        !            39: 
        !            40: ###########################################
        !            41: # Advanced Stealth Scan Detection Options #
        !            42: ###########################################
        !            43: #
        !            44: # This is the number of ports you want PortSentry to monitor in Advanced mode.
        !            45: # Any port *below* this number will be monitored. Right now it watches 
        !            46: # everything below 1023. 
        !            47: # 
        !            48: # On many Linux systems you cannot bind above port 61000. This is because
        !            49: # these ports are used as part of IP masquerading. I don't recommend you
        !            50: # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR 
        !            51: # OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
        !            52: # warned! Don't write me if you have have a problem because I'll only tell
        !            53: # you to RTFM and don't run above the first 1023 ports.
        !            54: #
        !            55: #
        !            56: ADVANCED_PORTS_TCP="1023"
        !            57: ADVANCED_PORTS_UDP="1023"
        !            58: #
        !            59: # This field tells PortSentry what ports (besides listening daemons) to
        !            60: # ignore. This is helpful for services like ident that services such 
        !            61: # as FTP, SMTP, and wrappers look for but you may not run (and probably 
        !            62: # *shouldn't* IMHO). 
        !            63: #
        !            64: # By specifying ports here PortSentry will simply not respond to
        !            65: # incoming requests, in effect PortSentry treats them as if they are
        !            66: # actual bound daemons. The default ports are ones reported as 
        !            67: # problematic false alarms and should probably be left alone for
        !            68: # all but the most isolated systems/networks.
        !            69: #
        !            70: # Default TCP ident and NetBIOS service
        !            71: ADVANCED_EXCLUDE_TCP="113,139"
        !            72: # Default UDP route (RIP), NetBIOS, bootp broadcasts.
        !            73: ADVANCED_EXCLUDE_UDP="520,138,137,67"
        !            74: 
        !            75: 
        !            76: ######################
        !            77: # Configuration Files#
        !            78: ######################
        !            79: #
        !            80: # Hosts to ignore
        !            81: IGNORE_FILE="/usr/pkg/etc/portsentry.ignore"
        !            82: # Hosts that have been denied (running history)
        !            83: HISTORY_FILE="/usr/pkg/etc/portsentry.history"
        !            84: # Hosts that have been denied this session only (temporary until next restart)
        !            85: BLOCKED_FILE="/usr/pkg/etc/portsentry.blocked"
        !            86: 
        !            87: ###################
        !            88: # Response Options#
        !            89: ###################
        !            90: # Options to dispose of attacker. Each is an action that will 
        !            91: # be run if an attack is detected. If you don't want a particular
        !            92: # option then comment it out and it will be skipped.
        !            93: #
        !            94: # The variable $TARGET$ will be substituted with the target attacking
        !            95: # host when an attack is detected. The variable $PORT$ will be substituted
        !            96: # with the port that was scanned. 
        !            97: #
        !            98: ##################
        !            99: # Ignore Options #
        !           100: ##################
        !           101: # These options allow you to enable automatic response
        !           102: # options for UDP/TCP. This is useful if you just want
        !           103: # warnings for connections, but don't want to react for  
        !           104: # a particular protocol (i.e. you want to block TCP, but
        !           105: # not UDP). To prevent a possible Denial of service attack
        !           106: # against UDP and stealth scan detection for TCP, you may 
        !           107: # want to disable blocking, but leave the warning enabled. 
        !           108: # I personally would wait for this to become a problem before
        !           109: # doing though as most attackers really aren't doing this.
        !           110: # The third option allows you to run just the external command
        !           111: # in case of a scan to have a pager script or such execute
        !           112: # but not drop the route. This may be useful for some admins
        !           113: # who want to block TCP, but only want pager/e-mail warnings
        !           114: # on UDP, etc.
        !           115: #
        !           116: # 
        !           117: # 0 = Do not block UDP/TCP scans.
        !           118: # 1 = Block UDP/TCP scans.
        !           119: # 2 = Run external command only (KILL_RUN_CMD)
        !           120: 
        !           121: BLOCK_UDP="1"
        !           122: BLOCK_TCP="1"
        !           123: 
        !           124: ###################
        !           125: # Dropping Routes:#
        !           126: ###################
        !           127: # This command is used to drop the route or add the host into
        !           128: # a local filter table. 
        !           129: #
        !           130: # The gateway (333.444.555.666) should ideally be a dead host on 
        !           131: # the *local* subnet. On some hosts you can also point this at
        !           132: # localhost (127.0.0.1) and get the same effect. NOTE THAT
        !           133: # 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
        !           134: #
        !           135: # All KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
        !           136: # uncomment the correct line for your OS. If you OS is not listed
        !           137: # here and you have a route drop command that works then please
        !           138: # mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
        !           139: # CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
        !           140: #
        !           141: # NOTE: The route commands are the least optimal way of blocking
        !           142: # and do not provide complete protection against UDP attacks and
        !           143: # will still generate alarms for both UDP and stealth scans. I
        !           144: # always recommend you use a packet filter because they are made
        !           145: # for this purpose.
        !           146: #
        !           147: 
        !           148: # Generic 
        !           149: #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
        !           150: 
        !           151: # Generic Linux 
        !           152: #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
        !           153: 
        !           154: # Newer versions of Linux support the reject flag now. This 
        !           155: # is cleaner than the above option.
        !           156: #KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
        !           157: 
        !           158: # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
        !           159: KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
        !           160: 
        !           161: # Generic Sun 
        !           162: #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
        !           163: 
        !           164: # NEXTSTEP
        !           165: #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
        !           166: 
        !           167: # FreeBSD (Not well tested.)
        !           168: #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
        !           169: 
        !           170: # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
        !           171: #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
        !           172: 
        !           173: # Generic HP-UX
        !           174: #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
        !           175: 
        !           176: ##
        !           177: # Using a packet filter is the preferred method. The below lines
        !           178: # work well on many OS's. Remember, you can only uncomment *one*
        !           179: # KILL_ROUTE option.
        !           180: ##
        !           181: 
        !           182: # For those of you running Linux with ipfwadm installed you may like
        !           183: # this better as it drops the host into the packet filter.
        !           184: # You can only have one KILL_ROUTE turned on at a time though.
        !           185: # This is the best method for Linux hosts.
        !           186: #
        !           187: #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
        !           188: #
        !           189: # This version does not log denied packets after activation
        !           190: #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
        !           191: #
        !           192: # New ipchain support for Linux kernel version 2.102+
        !           193: #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
        !           194: #
        !           195: # For those of you running FreeBSD (and compatible) you can
        !           196: # use their built in firewalling as well. 
        !           197: #
        !           198: #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
        !           199: 
        !           200: ###############
        !           201: # TCP Wrappers#
        !           202: ###############
        !           203: # This text will be dropped into the hosts.deny file for wrappers
        !           204: # to use. There are two formats for TCP wrappers:
        !           205: #
        !           206: # Format One: Old Style - The default when extended host processing
        !           207: # options are not enabled.
        !           208: #
        !           209: KILL_HOSTS_DENY="ALL: $TARGET$"
        !           210: #
        !           211: # Format Two: New Style - The format used when extended option
        !           212: # processing is enabled. You can drop in extended processing
        !           213: # options, but be sure you escape all '%' symbols with a backslash
        !           214: # to prevent problems writing out (i.e. \%c \%h )
        !           215: #
        !           216: #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
        !           217: 
        !           218: ###################
        !           219: # External Command#
        !           220: ###################
        !           221: # This is a command that is run when a host connects, it can be whatever
        !           222: # you want it to be (pager, etc.). This command is executed before the 
        !           223: # route is dropped. I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
        !           224: # AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
        !           225: # and people can make scans appear out of thin air. The only time it
        !           226: # is reasonably safe (and I *never* think it is reasonable) to run
        !           227: # reverse probe scripts is when using the "classic" -tcp mode. This
        !           228: # mode requires a full connect and is very hard to spoof.
        !           229: #
        !           230: #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
        !           231: 
        !           232: 
        !           233: #####################
        !           234: # Scan trigger value#
        !           235: #####################
        !           236: # Enter in the number of port connects you will allow before an 
        !           237: # alarm is given. The default is 0 which will react immediately.
        !           238: # A value of 1 or 2 will reduce false alarms. Anything higher is 
        !           239: # probably not necessary. This value must always be specified, but
        !           240: # generally can be left at 0. 
        !           241: #
        !           242: # NOTE: If you are using the advanced detection option you need to
        !           243: # be careful that you don't make a hair trigger situation. Because
        !           244: # Advanced mode will react for *any* host connecting to a non-used
        !           245: # below your specified range, you have the opportunity to really 
        !           246: # break things. (i.e someone innocently tries to connect to you via 
        !           247: # SSL [TCP port 443] and you immediately block them). Some of you
        !           248: # may even want this though. Just be careful.
        !           249: #
        !           250: 
        !           251: SCAN_TRIGGER="0"
        !           252: 
        !           253: ######################
        !           254: # Port Banner Section#
        !           255: ######################
        !           256: #
        !           257: # Enter text in here you want displayed to a person tripping the PortSentry.
        !           258: # I *don't* recommend taunting the person as this will aggravate them.
        !           259: # Leave this commented out to disable the feature
        !           260: #
        !           261: # Stealth scan detection modes don't use this feature
        !           262: #
        !           263: #PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
        !           264: PORT_BANNER="** Unauthorized Access Prohibited ** Your Connection attempt has been logged . . . GO AWAY!!"
        !           265: 
        !           266: # EOF

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb