NAME¶
portsentry.conf - portsentry´s main configuration file
DESCRIPTION¶
This manual page documents briefly the format of
portsentry´s(8)
configuration file.
OPTIONS¶
- TCP_PORTS
- A comma delimited string of TCP ports you want PortSentry
to listen to. This string can NOT have any spaces in it. You can put in as
many sockets as you want. PortSentry will try to bind them all up until
the default limit of 64.
For the stealth scan detection modes, the ports are not "bound"
per se, but they are monitored at the socket level for connections.
For the Advanced Stealth Scan Detection (see below) this list is
*ignored*
- UDP_PORTS
- The same as above, except for UDP ports. You need to be
very careful with UDP mode as an attacker can forge a port sweep and make
you block any number of hosts. Use this option with caution, or not at all
if your host is a well-known Internet connected system.
For the Advanced Stealth Scan Detection (see below) this list is *ignored*
- ADVANCED_PORTS_TCP
- A number indicating the highest port number to monitor down
from. Any port *below* this number is then monitored. The default is 1024
(reserved port range), but can be made as large as 65535 (system max).
It's recommended going over 1024 with this option.
- ADVANCED_PORTS_UDP
- Same as above, except for UDP.
- ADVANCED_EXCLUDE_TCP
- A comma delimited string of TCP ports that should be
manually excluded from monitoring in Advanced mode. These are normally
ports that may get hit by mistake by remote clients and shouldn't cause
alarms (ident, SSL, etc).
- ADVANCED_EXCLUDE_UDP
- Same as above, except for UDP.
- IGNORE_FILE
- The path to the file that contains IP addresses of hosts
you want to always be ignored.
- BLOCKED_FILE
- The path to the file that contains the IP addresses of
blocked hosts.
- RESOLVE_HOST - This option turns off DNS resolution
for
- hosts. If you have a slow DNS server it may be more
effective to turn off resolution.
- BLOCK_UDP
- This option disables all automatic responses to UDP probes.
Because UDP can be easily forged, it may allow an attacker to start a
denial of service attack against the protected host, causing it to block
all manner of hosts that should normally be left alone. Setting this
option to "0" will disable all responses, although the connects
are still logged. This option is mainly useful for Internet exposed hosts.
For internal hosts you should leave this enabled. If someone internally is
firing spoofed packets at you, then you have a much bigger problem than a
denial of service.
- BLOCK_TCP
- Same as above, but for TCP. Packet forgery is not as big a
problem though because PortSentry waits for a full connect to occur and
this is much harder to forge in the basic modes. Leave this enabled, even
for Internet connected hosts. For stealth scan detection modes the UDP
warning applies:
An attacker can cause you to block hosts you don't want to through packet
forgery. I wouldn't worry about this until it is a problem, but you
should be aware of it.
- KILL_ROUTE
- This is the command to run to drop the offending route(see
route(8)) if an attack is detected. This is the *full path* to the
route command along with the necessary parameters to make the command
work. The macro $TARGET$ will be substituted with the attacking
host IP and is REQUIRED in this option. Your gateway should be a *dead
host* on the local subnet. On some systems though you can just put in the
localhost address (127.0.0.1) and this will probably work. All packets
from the target host will get routed to this address so don't mess this
up. More modern route commands will include a "-blackhole" or
"-reject" flag. Check your man(1) pages and if your route
command supports this feature you should use it (although it's recommend
using packet filtering instead, see below).
Also be aware that this creates what is known as an "asynchronous
route" which basically means packets enter your host via one route
and are sent out on another (dead) route. This works OK for full TCP
connect requests, but for UDP and stealth scan modes it still allows
packets to activate PortSentry and you may get a series of "already
blocked" alarms by PortSentry. For UDP scans this method prevents
ICMP messages from returning to the attacker so all ports appear open.
However, if the attacker is performing an actual exploit with UDP the drop
route method will not work. The asynchronous route allows the packet to
hit the system and the attacker could perform a "blind" attack
with UDP if they know what the responses are going to be.
By far the best method is to use the local packet filter (see
ipfwadm(8), ipchains(8), or iptables(8)). This is a
much cleaner solution and is detailed in the config file. The macro
$PORT$ will substitute the port that was connected to by the
attacker, but this is NOT required for this option. The macro $MODE$
reports what mode the blocking occurred in (tcp, udp, stcp, sudp, atcp,
audp) but is also NOT required.
- KILL_HOSTS_DENY
- This is the format of the string to drop into the
hosts.deny file that TCP wrappers uses(see hosts_access(5), and
hosts_options(5)). Again the $TARGET$ macro is expanded out
to be the IP of the attacker and is required. You can also drop in any TCP
wrapper escape codes here as well (%h, twist, etc). The macro
$PORT$ will substitute the port that was connected to by the
attacker, but this is NOT required for this option. The macro $MODE$
reports what mode the blocking occurred in (tcp, udp, stcp, sudp, atcp,
audp) but is also NOT required.
- KILL_RUN_CMD
- This is a command you want run *before* the route is
dropped to the attacker. You can put in any program/script you want
executed when an attack is detected. WE NEVER RECOMMEND PUTTING IN
RETALIATORY ACTION AGAINST AN ATTACKING HOST. Virtually every time you're
are port scanned the host doing the scanning has been compromised itself.
Therefore, if you retaliate you are probably attacking an innocent(?)
party. Also the goal of security is to make the person GO AWAY. You don't
want to irritate them into making a personal vendetta against you.
Remember, even a 13 year old can run a [insert favorite D.O.S. program
here] attack against you from their Windows box to make your life
miserable. As above, the $TARGET$, $PORT$ and $MODE$
macros are available to you but they are not required with this option as
above.
- KILL_RUN_CMD_FIRST
- Setting this to "1" makes the command above run
before the route is dropped. Setting it to "0" makes the command
run aftter the blocking has occurred.
- SCAN_TRIGGER
- PortSentry has a state engine that will remember hosts that
connected to it. Setting this value will tell PortSentry to allow X number
of grace port hits before it reacts. This will detect both sequential and
random port sweeps. The default is 0 which will react immediately. A
setting of 1 or 2 will reduce false alarms, anything higher is probably
too much as anything more than 3 hits to different ports is pretty
suspicious behavior. Usually you can leave this at 0 without any
consequence, with the exception of Advanced stealth scan detection modes
where you may create a "hair trigger" if you aren't careful. Use
your own discretion.
- PORT_BANNER
- A text banner you want displayed to the connecting host if
the PortSentry is activated. Leave this commented out if you don't want
this feature. If you do use it, try not to taunt the person too badly.
It's recommended keeping it professional and to the point. The banner is
*not* displayed when stealth scan detection modes are used.
SEE ALSO¶
portsentry(8), hosts_access(5), hosts_options(5),
route(8), ipfwadm(8), ipchains(8)
/usr/share/doc/portsentry/README.install
AUTHOR¶
portsentry was written by Craig H. Howland
<crowland@users.sf.net>.
This manual page is essentially just a "cut and paste" from the
README.install file and was done by Guido Guenther
<agx@debian.org>(hopefully without adding too many errors), for the
Debian GNU/Linux system (but may be used by others).