# PortSentry Configuration## $Id: portsentry.conf.Debian,v 1.6 2001/07/19 21

1. # PortSentry Configuration
2. #
3. # $Id: portsentry.conf.Debian,v 1.6 2001/07/19 21:02:20 agx Exp $
4. #
5. # Original portsentry.conf by Craig H. Rowland <crowland@psionic.com>
6. # modified for Debian by Guido Guenther <agx@debian.org>
7. #
8. # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
9. #
10. # The default ports will catch a large number of common probes
11. #
12. # All entries must be in quotes.
13.  
14.  
15. #######################
16. # Port Configurations #
17. #######################
18. #
19. #
20. # Some example port configs for classic and basic Stealth modes
21. #
22. # I like to always keep some ports at the "low" end of the spectrum.
23. # This will detect a sequential port sweep really quickly and usually
24. # these ports are not in use (i.e. tcpmux port 1)
25. #
26. # ** X-Windows Users **: If you are running X on your box, you need to be sure
27. # you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users).
28. # Doing so will prevent the X-client from starting properly.
29. #
30. # These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
31. #
32.  
33. # Un-comment these if you are really anal:
34. #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
35. #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
36. #
37. # Use these if you just want to be aware:
38. TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
39. UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
40. #
41. # Use these for just bare-bones
42. #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
43. #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
44.  
45. ###########################################
46. # Advanced Stealth Scan Detection Options #
47. ###########################################
48. #
49. # This is the number of ports you want PortSentry to monitor in Advanced mode.
50. # Any port *below* this number will be monitored. Right now it watches
51. # everything below 1024.
52. #
53. # On many Linux systems you cannot bind above port 61000. This is because
54. # these ports are used as part of IP masquerading. I don't recommend you
55. # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR
56. # OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
57. # warned! Don't write me if you have have a problem because I'll only tell
58. # you to RTFM and don't run above the first 1024 ports.
59. #
60. #
61. ADVANCED_PORTS_TCP="65535"
62. ADVANCED_PORTS_UDP="65535"
63. #
64. # This field tells PortSentry what ports (besides listening daemons) to
65. # ignore. This is helpful for services like ident that services such
66. # as FTP, SMTP, and wrappers look for but you may not run (and probably
67. # *shouldn't* IMHO).
68. #
69. # By specifying ports here PortSentry will simply not respond to
70. # incoming requests, in effect PortSentry treats them as if they are
71. # actual bound daemons. The default ports are ones reported as
72. # problematic false alarms and should probably be left alone for
73. # all but the most isolated systems/networks.
74. #
75. # Default TCP ident and NetBIOS service
76. ADVANCED_EXCLUDE_TCP="113,139"
77. # Default UDP route (RIP), NetBIOS, bootp broadcasts.
78. ADVANCED_EXCLUDE_UDP="520,138,137,67"
79.  
80.  
81. ######################
82. # Configuration Files#
83. ######################
84. #
85. # Hosts to ignore
86. IGNORE_FILE="/etc/portsentry/portsentry.ignore"
87. # Hosts that have been denied (running history)
88. HISTORY_FILE="/var/lib/portsentry/portsentry.history"
89. # Hosts that have been denied this session only (temporary until next restart)
90. BLOCKED_FILE="/var/lib/portsentry/portsentry.blocked"
91.  
92. ##############################
93. # Misc. Configuration Options#
94. ##############################
95. #
96. # DNS Name resolution - Setting this to "1" will turn on DNS lookups
97. # for attacking hosts. Setting it to "0" (or any other value) will shut
98. # it off.
99. RESOLVE_HOST = "0"
100.  
101. ###################
102. # Response Options#
103. ###################
104. # Options to dispose of attacker. Each is an action that will
105. # be run if an attack is detected. If you don't want a particular
106. # option then comment it out and it will be skipped.
107. #
108. # The variable $TARGET$ will be substituted with the target attacking
109. # host when an attack is detected. The variable $PORT$ will be substituted
110. # with the port that was scanned.
111. #
112. ##################
113. # Ignore Options #
114. ##################
115. # These options allow you to enable automatic response
116. # options for UDP/TCP. This is useful if you just want
117. # warnings for connections, but don't want to react for
118. # a particular protocol (i.e. you want to block TCP, but
119. # not UDP). To prevent a possible Denial of service attack
120. # against UDP and stealth scan detection for TCP, you may
121. # want to disable blocking, but leave the warning enabled.
122. # I personally would wait for this to become a problem before
123. # doing though as most attackers really aren't doing this.
124. # The third option allows you to run just the external command
125. # in case of a scan to have a pager script or such execute
126. # but not drop the route. This may be useful for some admins
127. # who want to block TCP, but only want pager/e-mail warnings
128. # on UDP, etc.
129. #
130. #
131. # 0 = Do not block UDP/TCP scans.
132. # 1 = Block UDP/TCP scans.
133. # 2 = Run external command only (KILL_RUN_CMD)
134.  
135. BLOCK_UDP="1"
136. BLOCK_TCP="1"
137.  
138. ###################
139. # Dropping Routes:#
140. ###################
141. # This command is used to drop the route or add the host into
142. # a local filter table.
143. #
144. # The gateway (333.444.555.666) should ideally be a dead host on
145. # the *local* subnet. On some hosts you can also point this at
146. # localhost (127.0.0.1) and get the same effect. NOTE THAT
147. # 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
148. #
149. # ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
150. # uncomment the correct line for your OS. If you OS is not listed
151. # here and you have a route drop command that works then please
152. # mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
153. # CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
154. #
155. # NOTE: The route commands are the least optimal way of blocking
156. # and do not provide complete protection against UDP attacks and
157. # will still generate alarms for both UDP and stealth scans. I
158. # always recommend you use a packet filter because they are made
159. # for this purpose.
160. #
161.  
162. # Generic
163. #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
164.  
165. # Generic Linux
166. #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
167.  
168. # Newer versions of Linux support the reject flag now. This
169. # is cleaner than the above option.
170. KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
171.  
172. # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
173. #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
174.  
175. # Generic Sun
176. #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
177.  
178. # NEXTSTEP
179. #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
180.  
181. # FreeBSD
182. #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
183.  
184. # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
185. #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
186.  
187. # Generic HP-UX
188. #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
189.  
190. ##
191. # Using a packet filter is the PREFERRED. The below lines
192. # work well on many OS's. Remember, you can only uncomment *one*
193. # KILL_ROUTE option.
194. ##
195.  
196. # ipfwadm support for Linux
197. #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
198. #
199. # ipfwadm support for Linux (no logging of denied packets)
200. #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
201. #
202. # ipchain support for Linux
203. #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
204. #
205. # ipchain support for Linux (no logging of denied packets)
206. #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
207. #
208. # iptables support for Linux
209. #KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
210. #
211. # iptables support for Linux with limit and LOG support. Logs only
212. # a limited number of packets to avoid a denial of service attack.
213. # KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level debug --log-prefix 'Portsentry: dropping: '"
214. #
215. # For those of you running FreeBSD (and compatible) you can
216. # use their built in firewalling as well.
217. #
218. #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
219. #
220. #
221. # For those running ipfilt (OpenBSD, etc.)
222. # NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!
223. #
224. #KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -"
225.  
226.  
227. ###############
228. # TCP Wrappers#
229. ###############
230. # This text will be dropped into the hosts.deny file for wrappers
231. # to use. There are two formats for TCP wrappers:
232. #
233. # Format One: Old Style - The default when extended host processing
234. # options are not enabled.
235. #
236. #KILL_HOSTS_DENY="ALL: $TARGET$"
237.  
238. # Format Two: New Style - The format used when extended option
239. # processing is enabled. You can drop in extended processing
240. # options, but be sure you escape all '%' symbols with a backslash
241. # to prevent problems writing out (i.e. \%c \%h )
242. #
243. #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
244.  
245. ###################
246. # External Command#
247. ###################
248. # This is a command that is run when a host connects, it can be whatever
249. # you want it to be (pager, etc.). This command is executed before the
250. # route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
251. #
252. #
253. # I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING
254. # YOU!
255. #
256. # TCP/IP is an *unauthenticated protocol* and people can make scans appear out
257. # of thin air. The only time it is reasonably safe (and I *never* think it is
258. # reasonable) to run reverse probe scripts is when using the "classic" -tcp mode.
259. # This mode requires a full connect and is very hard to spoof.
260. #
261. # The KILL_RUN_CMD_FIRST value should be set to "1" to force the command
262. # to run *before* the blocking occurs and should be set to "0" to make the
263. # command run *after* the blocking has occurred.
264. #
265. #KILL_RUN_CMD_FIRST = "0"
266. #
267. #
268. #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$"
269. # for examples see /usr/share/doc/portsentry/examples/
270.  
271. KILL_RUN_CMD="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG --log-prefix 'Portsentry: dropping: '"
272.  
273. #####################
274. # Scan trigger value#
275. #####################
276. # Enter in the number of port connects you will allow before an
277. # alarm is given. The default is 0 which will react immediately.
278. # A value of 1 or 2 will reduce false alarms. Anything higher is
279. # probably not necessary. This value must always be specified, but
280. # generally can be left at 0.
281. #
282. # NOTE: If you are using the advanced detection option you need to
283. # be careful that you don't make a hair trigger situation. Because
284. # Advanced mode will react for *any* host connecting to a non-used
285. # port below your specified range, you have the opportunity to
286. # really break things. (i.e someone innocently tries to connect to
287. # you via SSL [TCP port 443] and you immediately block them). Some
288. # of you may even want this though. Just be careful.
289. #
290. SCAN_TRIGGER="0"
291.  
292. ######################
293. # Port Banner Section#
294. ######################
295. #
296. # Enter text in here you want displayed to a person tripping the PortSentry.
297. # I *don't* recommend taunting the person as this will aggravate them.
298. # Leave this commented out to disable the feature
299. #
300. # Stealth scan detection modes don't use this feature
301. #
302. #PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
303.  
304. # EOF