bionic (5) portsentry.conf.5.gz

Provided by: portsentry_1.2-14build1_amd64 bug

NAME

       portsentry.conf - portsentry´s main configuration file

DESCRIPTION

       This manual page documents briefly the format of portsentry´s(8) configuration file.

OPTIONS

       TCP_PORTS
              A  comma  delimited string of TCP ports you want PortSentry to listen to. This string can NOT have
              any spaces in it. You can put in as many sockets as you want. PortSentry will try to bind them all
              up until the default limit of 64.

              For  the stealth scan detection modes, the ports are not "bound" per se, but they are monitored at
              the socket level for connections.

              For the Advanced Stealth Scan Detection (see below) this list is *ignored*

       UDP_PORTS
              The same as above, except for UDP ports. You need to be very careful with UDP mode as an  attacker
              can  forge  a  port sweep and make you block any number of hosts. Use this option with caution, or
              not at all if your host is a well-known Internet connected system.

              For the Advanced Stealth Scan Detection (see below) this list is *ignored*

       ADVANCED_PORTS_TCP
              A number indicating the highest port number to monitor down from. Any port *below* this number  is
              then  monitored.  The  default  is  1024  (reserved port range), but can be made as large as 65535
              (system max). It's recommended going over 1024 with this option.

       ADVANCED_PORTS_UDP
              Same as above, except for UDP.

       ADVANCED_EXCLUDE_TCP
              A comma delimited string of TCP ports that should be manually excluded from monitoring in Advanced
              mode.  These  are normally ports that may get hit by mistake by remote clients and shouldn't cause
              alarms (ident, SSL, etc).

       ADVANCED_EXCLUDE_UDP
              Same as above, except for UDP.

       IGNORE_FILE
              The path to the file that contains IP addresses of hosts you want to always be ignored.

       BLOCKED_FILE
              The path to the file that contains the IP addresses of blocked hosts.

       RESOLVE_HOST - This option turns off DNS resolution for
              hosts. If you have a slow DNS server it may be more effective to turn off resolution.

       BLOCK_UDP
              This option disables all automatic responses to UDP probes.  Because UDP can be easily forged,  it
              may  allow  an attacker to start a denial of service attack against the protected host, causing it
              to block all manner of hosts that should normally be left alone. Setting this option to  "0"  will
              disable  all  responses, although the connects are still logged.  This option is mainly useful for
              Internet exposed hosts. For internal hosts you should leave this enabled. If someone internally is
              firing spoofed packets at you, then you have a much bigger problem than a denial of service.

       BLOCK_TCP
              Same as above, but for TCP. Packet forgery is not as big a problem though because PortSentry waits
              for a full connect to occur and this is much harder to  forge  in  the  basic  modes.  Leave  this
              enabled,  even  for  Internet  connected  hosts.  For stealth scan detection modes the UDP warning
              applies:

                   An attacker can cause you to block hosts you don't want to       through  packet  forgery.  I
              wouldn't worry about this until it is a      problem, but you should be aware of it.

       KILL_ROUTE
              This  is  the  command  to run to drop the offending route(see route(8)) if an attack is detected.
              This is the *full path* to the route command along with  the  necessary  parameters  to  make  the
              command work. The macro $TARGET$ will be substituted with the attacking host IP and is REQUIRED in
              this option. Your gateway should be a *dead host* on the local subnet. On some systems though  you
              can  just  put  in the localhost address (127.0.0.1) and this will probably work. All packets from
              the target host will get routed to this address so don't mess this up.  More modern route commands
              will  include a "-blackhole" or "-reject" flag.  Check your man(1) pages and if your route command
              supports this feature you should use it (although it's recommend using packet  filtering  instead,
              see below).

              Also  be  aware  that  this creates what is known as an "asynchronous route" which basically means
              packets enter your host via one route and are sent out on another (dead) route. This works OK  for
              full  TCP connect requests, but for UDP and stealth scan modes it still allows packets to activate
              PortSentry and you may get a series of "already blocked" alarms by PortSentry. For UDP scans  this
              method prevents ICMP messages from returning to the attacker so all ports appear open. However, if
              the attacker is performing an actual exploit with UDP the drop route method will  not  work.   The
              asynchronous  route  allows  the packet to hit the system and the attacker could perform a "blind"
              attack with UDP if they know what the responses are going to be.

              By far the best method is to  use  the  local  packet  filter  (see  ipfwadm(8),  ipchains(8),  or
              iptables(8)).   This  is  a  much  cleaner  solution and is detailed in the config file. The macro
              $PORT$ will substitute the port that was connected to by the attacker, but this  is  NOT  required
              for  this  option.  The  macro  $MODE$ reports what mode the blocking occurred in (tcp, udp, stcp,
              sudp, atcp, audp) but is also NOT required.

       KILL_HOSTS_DENY
              This is the format of the string to drop into the  hosts.deny  file  that  TCP  wrappers  uses(see
              hosts_access(5),  and hosts_options(5)).  Again the $TARGET$ macro is expanded out to be the IP of
              the attacker and is required. You can also drop in any TCP wrapper escape codes here as well  (%h,
              twist,  etc). The macro $PORT$ will substitute the port that was connected to by the attacker, but
              this is NOT required for this option.  The macro $MODE$ reports what mode the blocking occurred in
              (tcp, udp, stcp, sudp, atcp, audp) but is also NOT required.

       KILL_RUN_CMD
              This  is  a command you want run *before* the route is dropped to the attacker. You can put in any
              program/script you want executed when an  attack  is  detected.  WE  NEVER  RECOMMEND  PUTTING  IN
              RETALIATORY  ACTION  AGAINST  AN  ATTACKING HOST. Virtually every time you're are port scanned the
              host doing the scanning has been compromised itself.  Therefore, if you retaliate you are probably
              attacking  an  innocent(?)   party.  Also  the goal of security is to make the person GO AWAY. You
              don't want to irritate them into making a personal vendetta against you.  Remember, even a 13 year
              old  can  run a [insert favorite D.O.S. program here] attack against you from their Windows box to
              make your life miserable. As above, the $TARGET$, $PORT$ and $MODE$ macros are  available  to  you
              but they are not required with this option as above.

       KILL_RUN_CMD_FIRST
              Setting  this  to  "1"  makes the command above run before the route is dropped. Setting it to "0"
              makes the command run aftter the blocking has occurred.

       SCAN_TRIGGER
              PortSentry has a state engine that will remember hosts that connected to it.  Setting  this  value
              will  tell PortSentry to allow X number of grace port hits before it reacts. This will detect both
              sequential and random port sweeps. The default is 0 which will react immediately. A setting  of  1
              or  2  will reduce false alarms, anything higher is probably too much as anything more than 3 hits
              to different ports is pretty suspicious behavior. Usually you can leave  this  at  0  without  any
              consequence,  with  the  exception of Advanced stealth scan detection modes where you may create a
              "hair trigger" if you aren't careful. Use your own discretion.

       PORT_BANNER
              A text banner you want displayed to the connecting host if the PortSentry is activated. Leave this
              commented  out  if  you don't want this feature. If you do use it, try not to taunt the person too
              badly. It's recommended keeping it professional and to the point. The banner  is  *not*  displayed
              when stealth scan detection modes are used.

SEE ALSO

       portsentry(8), hosts_access(5), hosts_options(5), route(8), ipfwadm(8), ipchains(8)

       /usr/share/doc/portsentry/README.install

AUTHOR

       portsentry was written by Craig H. Howland <crowland@users.sf.net>.

       This manual page is essentially just a "cut and paste" from the README.install file and was done by Guido
       Guenther <agx@debian.org>(hopefully without adding too many errors), for the Debian GNU/Linux system (but
       may be used by others).

                                                                                              PORTSENTRY.CONF(5)