Annotation of wikisrc/nsps/portsentry.conf, revision 1.1
1.1 ! jdf 1: # PortSentry Configuration
! 2: #
! 3: # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
! 4: #
! 5: # The default ports will catch a large number of common probes
! 6: #
! 7: # All entries must be in quotes.
! 8:
! 9:
! 10: #######################
! 11: # Port Configurations #
! 12: #######################
! 13: #
! 14: #
! 15: # Some example port configs for classic and basic Stealth modes
! 16: #
! 17: # I like to always keep some ports at the "low" end of the spectrum.
! 18: # This will detect a sequential port sweep really quickly and usually
! 19: # these ports are not in use (i.e. tcpmux port 1)
! 20: #
! 21: # ** X-Windows Users **: If you are running X on your box, you need to be sure
! 22: # you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
! 23: # Doing so will prevent the X-client from starting properly.
! 24: #
! 25: # These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
! 26: #
! 27:
! 28: # Un-comment these if you are really anal:
! 29: TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
! 30: #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,32770,32771,32772,32773,32774,31337,54321"
! 31: #
! 32: # Use these if you just want to be aware:
! 33: #TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
! 34: UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774,31337,54321"
! 35: #
! 36: # Use these for just bare-bones
! 37: #TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
! 38: #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
! 39:
! 40: ###########################################
! 41: # Advanced Stealth Scan Detection Options #
! 42: ###########################################
! 43: #
! 44: # This is the number of ports you want PortSentry to monitor in Advanced mode.
! 45: # Any port *below* this number will be monitored. Right now it watches
! 46: # everything below 1023.
! 47: #
! 48: # On many Linux systems you cannot bind above port 61000. This is because
! 49: # these ports are used as part of IP masquerading. I don't recommend you
! 50: # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR
! 51: # OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
! 52: # warned! Don't write me if you have have a problem because I'll only tell
! 53: # you to RTFM and don't run above the first 1023 ports.
! 54: #
! 55: #
! 56: ADVANCED_PORTS_TCP="1023"
! 57: ADVANCED_PORTS_UDP="1023"
! 58: #
! 59: # This field tells PortSentry what ports (besides listening daemons) to
! 60: # ignore. This is helpful for services like ident that services such
! 61: # as FTP, SMTP, and wrappers look for but you may not run (and probably
! 62: # *shouldn't* IMHO).
! 63: #
! 64: # By specifying ports here PortSentry will simply not respond to
! 65: # incoming requests, in effect PortSentry treats them as if they are
! 66: # actual bound daemons. The default ports are ones reported as
! 67: # problematic false alarms and should probably be left alone for
! 68: # all but the most isolated systems/networks.
! 69: #
! 70: # Default TCP ident and NetBIOS service
! 71: ADVANCED_EXCLUDE_TCP="113,139"
! 72: # Default UDP route (RIP), NetBIOS, bootp broadcasts.
! 73: ADVANCED_EXCLUDE_UDP="520,138,137,67"
! 74:
! 75:
! 76: ######################
! 77: # Configuration Files#
! 78: ######################
! 79: #
! 80: # Hosts to ignore
! 81: IGNORE_FILE="/usr/pkg/etc/portsentry.ignore"
! 82: # Hosts that have been denied (running history)
! 83: HISTORY_FILE="/usr/pkg/etc/portsentry.history"
! 84: # Hosts that have been denied this session only (temporary until next restart)
! 85: BLOCKED_FILE="/usr/pkg/etc/portsentry.blocked"
! 86:
! 87: ###################
! 88: # Response Options#
! 89: ###################
! 90: # Options to dispose of attacker. Each is an action that will
! 91: # be run if an attack is detected. If you don't want a particular
! 92: # option then comment it out and it will be skipped.
! 93: #
! 94: # The variable $TARGET$ will be substituted with the target attacking
! 95: # host when an attack is detected. The variable $PORT$ will be substituted
! 96: # with the port that was scanned.
! 97: #
! 98: ##################
! 99: # Ignore Options #
! 100: ##################
! 101: # These options allow you to enable automatic response
! 102: # options for UDP/TCP. This is useful if you just want
! 103: # warnings for connections, but don't want to react for
! 104: # a particular protocol (i.e. you want to block TCP, but
! 105: # not UDP). To prevent a possible Denial of service attack
! 106: # against UDP and stealth scan detection for TCP, you may
! 107: # want to disable blocking, but leave the warning enabled.
! 108: # I personally would wait for this to become a problem before
! 109: # doing though as most attackers really aren't doing this.
! 110: # The third option allows you to run just the external command
! 111: # in case of a scan to have a pager script or such execute
! 112: # but not drop the route. This may be useful for some admins
! 113: # who want to block TCP, but only want pager/e-mail warnings
! 114: # on UDP, etc.
! 115: #
! 116: #
! 117: # 0 = Do not block UDP/TCP scans.
! 118: # 1 = Block UDP/TCP scans.
! 119: # 2 = Run external command only (KILL_RUN_CMD)
! 120:
! 121: BLOCK_UDP="1"
! 122: BLOCK_TCP="1"
! 123:
! 124: ###################
! 125: # Dropping Routes:#
! 126: ###################
! 127: # This command is used to drop the route or add the host into
! 128: # a local filter table.
! 129: #
! 130: # The gateway (333.444.555.666) should ideally be a dead host on
! 131: # the *local* subnet. On some hosts you can also point this at
! 132: # localhost (127.0.0.1) and get the same effect. NOTE THAT
! 133: # 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
! 134: #
! 135: # All KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
! 136: # uncomment the correct line for your OS. If you OS is not listed
! 137: # here and you have a route drop command that works then please
! 138: # mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
! 139: # CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
! 140: #
! 141: # NOTE: The route commands are the least optimal way of blocking
! 142: # and do not provide complete protection against UDP attacks and
! 143: # will still generate alarms for both UDP and stealth scans. I
! 144: # always recommend you use a packet filter because they are made
! 145: # for this purpose.
! 146: #
! 147:
! 148: # Generic
! 149: #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
! 150:
! 151: # Generic Linux
! 152: #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
! 153:
! 154: # Newer versions of Linux support the reject flag now. This
! 155: # is cleaner than the above option.
! 156: #KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
! 157:
! 158: # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
! 159: KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
! 160:
! 161: # Generic Sun
! 162: #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
! 163:
! 164: # NEXTSTEP
! 165: #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
! 166:
! 167: # FreeBSD (Not well tested.)
! 168: #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
! 169:
! 170: # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
! 171: #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
! 172:
! 173: # Generic HP-UX
! 174: #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
! 175:
! 176: ##
! 177: # Using a packet filter is the preferred method. The below lines
! 178: # work well on many OS's. Remember, you can only uncomment *one*
! 179: # KILL_ROUTE option.
! 180: ##
! 181:
! 182: # For those of you running Linux with ipfwadm installed you may like
! 183: # this better as it drops the host into the packet filter.
! 184: # You can only have one KILL_ROUTE turned on at a time though.
! 185: # This is the best method for Linux hosts.
! 186: #
! 187: #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
! 188: #
! 189: # This version does not log denied packets after activation
! 190: #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
! 191: #
! 192: # New ipchain support for Linux kernel version 2.102+
! 193: #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
! 194: #
! 195: # For those of you running FreeBSD (and compatible) you can
! 196: # use their built in firewalling as well.
! 197: #
! 198: #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
! 199:
! 200: ###############
! 201: # TCP Wrappers#
! 202: ###############
! 203: # This text will be dropped into the hosts.deny file for wrappers
! 204: # to use. There are two formats for TCP wrappers:
! 205: #
! 206: # Format One: Old Style - The default when extended host processing
! 207: # options are not enabled.
! 208: #
! 209: KILL_HOSTS_DENY="ALL: $TARGET$"
! 210: #
! 211: # Format Two: New Style - The format used when extended option
! 212: # processing is enabled. You can drop in extended processing
! 213: # options, but be sure you escape all '%' symbols with a backslash
! 214: # to prevent problems writing out (i.e. \%c \%h )
! 215: #
! 216: #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
! 217:
! 218: ###################
! 219: # External Command#
! 220: ###################
! 221: # This is a command that is run when a host connects, it can be whatever
! 222: # you want it to be (pager, etc.). This command is executed before the
! 223: # route is dropped. I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
! 224: # AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
! 225: # and people can make scans appear out of thin air. The only time it
! 226: # is reasonably safe (and I *never* think it is reasonable) to run
! 227: # reverse probe scripts is when using the "classic" -tcp mode. This
! 228: # mode requires a full connect and is very hard to spoof.
! 229: #
! 230: #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
! 231:
! 232:
! 233: #####################
! 234: # Scan trigger value#
! 235: #####################
! 236: # Enter in the number of port connects you will allow before an
! 237: # alarm is given. The default is 0 which will react immediately.
! 238: # A value of 1 or 2 will reduce false alarms. Anything higher is
! 239: # probably not necessary. This value must always be specified, but
! 240: # generally can be left at 0.
! 241: #
! 242: # NOTE: If you are using the advanced detection option you need to
! 243: # be careful that you don't make a hair trigger situation. Because
! 244: # Advanced mode will react for *any* host connecting to a non-used
! 245: # below your specified range, you have the opportunity to really
! 246: # break things. (i.e someone innocently tries to connect to you via
! 247: # SSL [TCP port 443] and you immediately block them). Some of you
! 248: # may even want this though. Just be careful.
! 249: #
! 250:
! 251: SCAN_TRIGGER="0"
! 252:
! 253: ######################
! 254: # Port Banner Section#
! 255: ######################
! 256: #
! 257: # Enter text in here you want displayed to a person tripping the PortSentry.
! 258: # I *don't* recommend taunting the person as this will aggravate them.
! 259: # Leave this commented out to disable the feature
! 260: #
! 261: # Stealth scan detection modes don't use this feature
! 262: #
! 263: #PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
! 264: PORT_BANNER="** Unauthorized Access Prohibited ** Your Connection attempt has been logged . . . GO AWAY!!"
! 265:
! 266: # EOF
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb