"Fossies" - the Fresh Open Source Software Archive

Member "portsentry-2.0b1/portsentry.conf" (8 Apr 2002, 9501 Bytes) of package /linux/privat/old/portsentry-2.0b1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Generic config files source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 # PortSentry Configuration
    2 #
    3 # $Id: portsentry.conf,v 1.36 2002/04/08 19:11:05 crowland Exp crowland $
    4 #
    5 # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
    6 #
    7 # The default ports will catch a large number of common probes
    8 #
    9 # All entries must be in quotes.
   10 
   11 ###########################
   12 # Interface Configurations#
   13 ###########################
   14 # You can set the interface to monitor with this option. Examples include
   15 # "eth0", "ep0", etc. You do not need to put in the dev directory path.
   16 # If you leave this as "auto" PortSentry will attempt to monitor the
   17 # primary interface automatically. Most people should leave this alone
   18 # unless you have a multi-homed system (firewall, etc.) and want to monitor
   19 # a particular interface only.
   20 INTERFACE="auto"
   21 
   22 # This MUST BE SET to the address of the interface being monitored on
   23 # your system. It is NOT determined automatically in this version of
   24 # PortSentry. 
   25 #INTERFACE_ADDRESS="XXX.XXX.XXX.XXX"
   26 
   27 
   28 #######################
   29 # Port Configurations #
   30 #######################
   31 #
   32 #
   33 # Some example port configs for stealth modes
   34 #
   35 # We like to always keep some ports at the "low" end of the spectrum.
   36 # This will detect a sequential port sweep really quickly and usually
   37 # these ports are not in use (i.e. tcpmux port 1)
   38 #
   39 
   40 # Un-comment these if you are really anal:
   41 #TCP_PORTS="1,7,9,11,15,21,23,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,666,1080,1524,2000,2001,4000,4001,5631,5632,5742,6000,6001,6667,12345,12346,20034,27374,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320,54321"
   42 #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,666,700,2049,5631,5632,31335,27444,34555,32770,32771,32772,32773,32774,31337"
   43 #
   44 # Use these if you just want to be aware (default):
   45 TCP_PORTS="1,11,15,79,111,119,143,515,540,635,666,1080,1524,2000,6667,12345,12346,20034,27374,27665,31337,32771,32772,32773,32774,40421,49724,54320,54321"
   46 UDP_PORTS="1,7,9,69,161,162,513,635,2049,27444,32770,32771,32772,32773,32774,31337,54321"
   47 #
   48 # Use these for just bare-bones
   49 #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,27374,31337,32771,32772,32773,32774,49724,54320,54321"
   50 #UDP_PORTS="1,7,9,69,161,162,513,32770,32771,32772,32773,32774,31337,54321"
   51 
   52 ######################
   53 # Configuration Files#
   54 ######################
   55 #
   56 # Hosts to ignore
   57 IGNORE_FILE="/usr/local/psionic/portsentry2/portsentry.ignore"
   58 # Hosts that have been denied (running history)
   59 HISTORY_FILE="/usr/local/psionic/portsentry2/portsentry.history"
   60 # Hosts that have been denied this session only (temporary until next restart)
   61 BLOCKED_FILE="/usr/local/psionic/portsentry2/portsentry.blocked"
   62 
   63 ##############################
   64 # Misc. Configuration Options#
   65 ##############################
   66 #
   67 # DNS Name resolution - Setting this to "1" will turn on DNS lookups
   68 # for attacking hosts. Setting it to "0" (or any other value) will shut
   69 # it off. Turning on this value can slow down PortSentry if a lot of attacks
   70 # are coming in concurrently while it waits for the DNS resolution to return.
   71 # This option can can also alert an attacker to PortSentry's presence if they
   72 # see DNS queries come to a nameserver they control after they initiate an
   73 # attack. The default is to keep this off.
   74 RESOLVE_HOST = "0"
   75 
   76 ###################
   77 # Response Options#
   78 ###################
   79 # Options to dispose of attacker. Each is an action that will
   80 # be run if an attack is detected. If you don't want a particular
   81 # option then comment it out and it will be skipped.
   82 #
   83 # The variable $TARGET$ will be substituted with the target attacking
   84 # host when an attack is detected. The variable $PORT$ will be substituted
   85 # with the port that was scanned. The variable $MODE# will be substitued with
   86 # the mode (TCP/UDP) that was used for the detect.
   87 #
   88 ##################
   89 # Ignore Options #
   90 ##################
   91 # These options allow you to enable automatic response
   92 # options for UDP/TCP. This is useful if you just want
   93 # warnings for connections, but don't want to react for
   94 # a particular protocol (i.e. you want to block TCP, but
   95 # not UDP). To prevent a possible Denial of service attack
   96 # against stealth scan detection for TCP, you may
   97 # want to disable blocking, but leave the warning enabled.
   98 # We personally would wait for this to become a problem before
   99 # doing though as most attackers really aren't doing this.
  100 # The third option allows you to run just the external command
  101 # in case of a scan to have a pager script or such execute
  102 # but not drop the route. This may be useful for some admins
  103 # who want to block TCP, but only want pager/e-mail warnings
  104 # on UDP, etc.
  105 #
  106 #
  107 # 0 = Do not block UDP/TCP scans.
  108 # 1 = Block UDP/TCP scans.
  109 # 2 = Run external command only (KILL_RUN_CMD)
  110 
  111 BLOCK_UDP="1"
  112 BLOCK_TCP="1"
  113 
  114 ###################
  115 # Dropping Routes:#
  116 ###################
  117 # This command is used to drop the route or add the host into
  118 # a local filter table.
  119 #
  120 # The gateway (XXX.XXX.XXX.XXX) should ideally be a dead host on
  121 # the *local* subnet. On some hosts you can also point this at
  122 # localhost (127.0.0.1) and get the same effect. NOTE THAT
  123 # XXX.XXX.XXX.XXX WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
  124 #
  125 # ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
  126 # uncomment the correct line for your OS. If you OS is not listed
  127 # here and you have a route drop command that works then please
  128 # mail it to us so we can include it. ONLY ONE KILL_ROUTE OPTION
  129 # CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
  130 #
  131 # NOTE: The route commands are the least optimal way of blocking
  132 # and do not provide complete protection against UDP attacks and
  133 # will still generate alarms for both UDP and stealth scans. We
  134 # always recommend you use a packet filter because they are made
  135 # for this purpose.
  136 #
  137 
  138 # Generic
  139 #KILL_ROUTE="/sbin/route add $TARGET$ XXX.XXX.XXX.XXX"
  140 
  141 # Generic Linux
  142 #KILL_ROUTE="/sbin/route add -host $TARGET$ gw XXX.XXX.XXX.XXX"
  143 
  144 # Newer versions of Linux support the reject flag now. This
  145 # is cleaner than the above option.
  146 #KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
  147 
  148 # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
  149 #KILL_ROUTE="/sbin/route add $TARGET$ XXX.XXX.XXX.XXX"
  150 
  151 # Generic Sun
  152 #KILL_ROUTE="/usr/sbin/route add $TARGET$ XXX.XXX.XXX.XXX 1"
  153 
  154 # NEXTSTEP
  155 #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
  156 
  157 # FreeBSD
  158 #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
  159 
  160 # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
  161 #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
  162 
  163 # Generic HP-UX
  164 #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
  165 
  166 ##
  167 # Using a packet filter is the PREFERRED. The below lines
  168 # work well on many OS's. Remember, you can only uncomment *one*
  169 # KILL_ROUTE option.
  170 ##
  171 
  172 # ipfwadm support for Linux
  173 #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
  174 #
  175 # ipfwadm support for Linux (no logging of denied packets)
  176 #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
  177 #
  178 # ipchain support for Linux
  179 #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
  180 #
  181 # ipchain support for Linux (no logging of denied packets)
  182 #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
  183 #
  184 # iptables support for Linux
  185 #KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"
  186 #
  187 # For those of you running FreeBSD (and compatible) you can
  188 # use their built in firewalling as well.
  189 #
  190 #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
  191 #
  192 #
  193 # For those running ipf (OpenBSD, etc.)
  194 # NOTE THAT YOU NEED TO CHANGE EXTERNAL_INTERFACE TO A VALID INTERFACE!!
  195 #
  196 #KILL_ROUTE="/bin/echo 'block in log on EXTERNAL_INTERFACE from $TARGET$/32 to any' | /sbin/ipf -f -"
  197 
  198 
  199 ###############
  200 # TCP Wrappers#
  201 ###############
  202 # This text will be dropped into the hosts.deny file for wrappers
  203 # to use. There are two formats for TCP wrappers:
  204 #
  205 # Format One: Old Style - The default when extended host processing
  206 # options are not enabled.
  207 #
  208 KILL_HOSTS_DENY="ALL: $TARGET$"
  209 
  210 # Format Two: New Style - The format used when extended option
  211 # processing is enabled. You can drop in extended processing
  212 # options, but be sure you escape all '%' symbols with a backslash
  213 # to prevent problems writing out (i.e. \%c \%h )
  214 #
  215 #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
  216 
  217 ###################
  218 # External Command#
  219 ###################
  220 # This is a command that is run when a host connects, it can be whatever
  221 # you want it to be (pager, etc.). This command is executed before the
  222 # route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
  223 #
  224 #
  225 # WE NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING
  226 # YOU!
  227 #
  228 # TCP/IP is an *unauthenticated protocol* and people can make scans appear out
  229 # of thin air. Do you really want to counter-attack an innocent third party?
  230 # That could happen if you aren't careful.
  231 #
  232 # The KILL_RUN_CMD_FIRST value should be set to "1" to force the command
  233 # to run *before* the blocking occurs and should be set to "0" to make the
  234 # command run *after* the blocking has occurred.
  235 #
  236 #KILL_RUN_CMD_FIRST = "0"
  237 #
  238 #
  239 #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$"
  240 
  241 #####################
  242 # Scan trigger value#
  243 #####################
  244 # Enter in the number of port connects you will allow before an
  245 # alarm is given. The default is 0 which will react immediately.
  246 # A value of 1 or 2 will reduce false alarms. Anything higher is
  247 # probably not necessary. This value must always be specified, but
  248 # generally can be left at 0.
  249 #
  250 SCAN_TRIGGER="0"
  251 
  252 
  253