that's just it, I'm having trouble understanding the configuration file. I've read that and the readme, but not really understanding it. On 26 Oct 2001, John Covici wrote: > The only iptables specific thing you have to do with portsentry is to > uncomment the kill_route line specific to iptables -- changing the > path if necessary. Other questions may revolve around portsentry in > general and for those you have to consult your /etc/services file and > decide what you want to do with your system -- do you have a web > server, mail server, etc. > > on Wed, 24 Oct 2001 22:53:16 -0400 (EDT) Deedra Waters <dmwaters at tampabay.rr.com> wrote: > > > I've read the documentation for portsentry, but am having a lot of > > trouble getting it going. my main problems are with the portsentry.conf > > fileI'm really confused as to how to get it going, and working correctly > > with the iptables I have set up... if someone could help me with this I'd > > appreciate it... I'm attaching the portsentry.conf file to this message... > > > > Like I said, I've read the readme files and the portsentry.conf file > > itself, but am still really confused as to how to set it up and what to > > comment and uncomment in it. > > and what to change. > > > > # PortSentry Configuration > > # > > # $Id: portsentry.conf,v 1.23 2001/06/26 15:20:56 crowland Exp crowland $ > > # > > # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments. > > # > > # The default ports will catch a large number of common probes > > # > > # All entries must be in quotes. > > > > > > ####################### > > # Port Configurations # > > ####################### > > # > > # > > # Some example port configs for classic and basic Stealth modes > > # > > # I like to always keep some ports at the "low" end of the spectrum. > > # This will detect a sequential port sweep really quickly and usually > > # these ports are not in use (i.e. tcpmux port 1) > > # > > # ** X-Windows Users **: If you are running X on your box, you need to be sure > > # you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users). > > # Doing so will prevent the X-client from starting properly. > > # > > # These port bindings are *ignored* for Advanced Stealth Scan Detection Mode. > > # > > > > # Un-comment these if you are really anal: > > #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320" > > #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321" > > # > > # Use these if you just want to be aware: > > TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320" > > UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321" > > # > > # Use these for just bare-bones > > #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320" > > #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321" > > > > ########################################### > > # Advanced Stealth Scan Detection Options # > > ########################################### > > # > > # This is the number of ports you want PortSentry to monitor in Advanced mode. > > # Any port *below* this number will be monitored. Right now it watches > > # everything below 1024. > > # > > # On many Linux systems you cannot bind above port 61000. This is because > > # these ports are used as part of IP masquerading. I don't recommend you > > # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR > > # OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been > > # warned! Don't write me if you have have a problem because I'll only tell > > # you to RTFM and don't run above the first 1024 ports. > > # > > # > > ADVANCED_PORTS_TCP="1024" > > ADVANCED_PORTS_UDP="1024" > > # > > # This field tells PortSentry what ports (besides listening daemons) to > > # ignore. This is helpful for services like ident that services such > > # as FTP, SMTP, and wrappers look for but you may not run (and probably > > # *shouldn't* IMHO). > > # > > # By specifying ports here PortSentry will simply not respond to > > # incoming requests, in effect PortSentry treats them as if they are > > # actual bound daemons. The default ports are ones reported as > > # problematic false alarms and should probably be left alone for > > # all but the most isolated systems/networks. > > # > > # Default TCP ident and NetBIOS service > > ADVANCED_EXCLUDE_TCP="113,139" > > # Default UDP route (RIP), NetBIOS, bootp broadcasts. > > ADVANCED_EXCLUDE_UDP="520,138,137,67" > > > > > > ###################### > > # Configuration Files# > > ###################### > > # > > # Hosts to ignore > > IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore" > > # Hosts that have been denied (running history) > > HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history" > > # Hosts that have been denied this session only (temporary until next restart) > > BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked" > > > > ############################## > > # Misc. Configuration Options# > > ############################## > > # > > # DNS Name resolution - Setting this to "1" will turn on DNS lookups > > # for attacking hosts. Setting it to "0" (or any other value) will shut > > # it off. > > RESOLVE_HOST = "1" > > > > ################### > > # Response Options# > > ################### > > # Options to dispose of attacker. Each is an action that will > > # be run if an attack is detected. If you don't want a particular > > # option then comment it out and it will be skipped. > > # > > # The variable $TARGET$ will be substituted with the target attacking > > # host when an attack is detected. The variable $PORT$ will be substituted > > # with the port that was scanned. > > # > > ################## > > # Ignore Options # > > ################## > > # These options allow you to enable automatic response > > # options for UDP/TCP. This is useful if you just want > > # warnings for connections, but don't want to react for > > # a particular protocol (i.e. you want to block TCP, but > > # not UDP). To prevent a possible Denial of service attack > > # against UDP and stealth scan detection for TCP, you may > > # want to disable blocking, but leave the warning enabled. > > # I personally would wait for this to become a problem before > > # doing though as most attackers really aren't doing this. > > # The third option allows you to run just the external command > > # in case of a scan to have a pager script or such execute > > # but not drop the route. This may be useful for some admins > > # who want to block TCP, but only want pager/e-mail warnings > > # on UDP, etc. > > # > > # > > # 0 = Do not block UDP/TCP scans. > > # 1 = Block UDP/TCP scans. > > # 2 = Run external command only (KILL_RUN_CMD) > > > > BLOCK_UDP="1" > > BLOCK_TCP="1" > > > > ################### > > # Dropping Routes:# > > ################### > > # This command is used to drop the route or add the host into > > # a local filter table. > > # > > # The gateway (333.444.555.666) should ideally be a dead host on > > # the *local* subnet. On some hosts you can also point this at > > # localhost (127.0.0.1) and get the same effect. NOTE THAT > > # 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!! > > # > > # ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you > > # uncomment the correct line for your OS. If you OS is not listed > > # here and you have a route drop command that works then please > > # mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION > > # CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES. > > # > > # NOTE: The route commands are the least optimal way of blocking > > # and do not provide complete protection against UDP attacks and > > # will still generate alarms for both UDP and stealth scans. I > > # always recommend you use a packet filter because they are made > > # for this purpose. > > # > > > > # Generic > > #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" > > > > # Generic Linux > > #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666" > > > > # Newer versions of Linux support the reject flag now. This > > # is cleaner than the above option. > > #KILL_ROUTE="/sbin/route add -host $TARGET$ reject" > > > > # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD) > > #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666" > > > > # Generic Sun > > #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1" > > > > # NEXTSTEP > > #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1" > > > > # FreeBSD > > #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole" > > > > # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX) > > #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1" > > > > # Generic HP-UX > > #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1" > > > > ## > > # Using a packet filter is the PREFERRED. The below lines > > # work well on many OS's. Remember, you can only uncomment *one* > > # KILL_ROUTE option. > > ## > > > > # ipfwadm support for Linux > > #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o" > > # > > # ipfwadm support for Linux (no logging of denied packets) > > #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$" > > # > > # ipchain support for Linux > > #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l" > > # > > # ipchain support for Linux (no logging of denied packets) > > #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY" > > # > > # iptables support for Linux > > #KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP" > > # > > # For those of you running FreeBSD (and compatible) you can > > # use their built in firewalling as well. > > # > > #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any" > > # > > # > > # For those running ipfilt (OpenBSD, etc.) > > # NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!! > > # > > #KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -" > > > > > > ############### > > # TCP Wrappers# > > ############### > > # This text will be dropped into the hosts.deny file for wrappers > > # to use. There are two formats for TCP wrappers: > > # > > # Format One: Old Style - The default when extended host processing > > # options are not enabled. > > # > > KILL_HOSTS_DENY="ALL: $TARGET$" > > > > # Format Two: New Style - The format used when extended option > > # processing is enabled. You can drop in extended processing > > # options, but be sure you escape all '%' symbols with a backslash > > # to prevent problems writing out (i.e. \%c \%h ) > > # > > #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY" > > > > ################### > > # External Command# > > ################### > > # This is a command that is run when a host connects, it can be whatever > > # you want it to be (pager, etc.). This command is executed before the > > # route is dropped or after depending on the KILL_RUN_CMD_FIRST option below > > # > > # > > # I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING > > # YOU! > > # > > # TCP/IP is an *unauthenticated protocol* and people can make scans appear out > > # of thin air. The only time it is reasonably safe (and I *never* think it is > > # reasonable) to run reverse probe scripts is when using the "classic" -tcp mode. > > # This mode requires a full connect and is very hard to spoof. > > # > > # The KILL_RUN_CMD_FIRST value should be set to "1" to force the command > > # to run *before* the blocking occurs and should be set to "0" to make the > > # command run *after* the blocking has occurred. > > # > > #KILL_RUN_CMD_FIRST = "0" > > # > > # > > #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$" > > > > > > ##################### > > # Scan trigger value# > > ##################### > > # Enter in the number of port connects you will allow before an > > # alarm is given. The default is 0 which will react immediately. > > # A value of 1 or 2 will reduce false alarms. Anything higher is > > # probably not necessary. This value must always be specified, but > > # generally can be left at 0. > > # > > # NOTE: If you are using the advanced detection option you need to > > # be careful that you don't make a hair trigger situation. Because > > # Advanced mode will react for *any* host connecting to a non-used > > # below your specified range, you have the opportunity to really > > # break things. (i.e someone innocently tries to connect to you via > > # SSL [TCP port 443] and you immediately block them). Some of you > > # may even want this though. Just be careful. > > # > > SCAN_TRIGGER="0" > > > > ###################### > > # Port Banner Section# > > ###################### > > # > > # Enter text in here you want displayed to a person tripping the PortSentry. > > # I *don't* recommend taunting the person as this will aggravate them. > > # Leave this commented out to disable the feature > > # > > # Stealth scan detection modes don't use this feature > > # > > #PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY." > > > > # EOF > > -- > John Covici > covici at ccs.covici.com > > _______________________________________________ > Speakup mailing list > Speakup at braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup >
