Linux PortSentry
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP=”113,139″
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP=”520,138,137,67″
ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii ii mm
# Configuration Files#
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII It #
# Hosts to ignore
IGNORE_FILE=”/usr/psionic/portsentry/portsentry.ignore”
# Hosts that have been denied (running history)
HISTORY_FILE=”/usr/psionic/portsentry/portsentry.history”
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE=”/usr/psionic/portsentry/portsentry.blocked”
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
# Response Options*
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
# Options to dispose of attacker. Each is an action that will
# be run if an attack is detected. If you don’t want a particular
# option then comment it out and it will be skipped.
#
# The variable $TARGET$ will be substituted with the target attacking
# host when an attack is detected. The variable $PORT$ will be substituted
# with the port that was scanned.
#
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
# Ignore Options #
# These options allow you to enable automatic response
# options for UDP/TCP. This is useful if you just want
# warnings for connections, but don’t want to react for
# a particular protocol (i.e. you want to block TCP, but
# not UDP). To prevent a possible Denial of service attack
# against UDP and stealth scan detection for TCP, you may
# want to disable blocking, but leave the warning enabled.
# I personally would wait for this to become a problem before
# doing though as most attackers really aren’t doing this.
# The third option allows you to run just the external command
# in case of a scan to have a pager script or such execute
# but not drop the route. This may be useful for some admins
# who want to block TCP, but only want pager/e-mail warnings
# on UDP, etc.
#
#
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILLRUNCMD)
BLOCK_UDP=”1″ BLOCK_TCP=”1″
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
# Dropping Routes:#
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
# This command is used to drop the route or add the host into
# a local filter table.
#
# The gateway (333.444.555.666) should ideally be a dead host on
# the *local* subnet. On some hosts you can also point this at
# localhost (127.0.0.1) and get the same effect. NOTE THAT
# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
#
# All KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
# uncomment the correct line for your OS. If you OS is not listed
# here and you have a route drop command that works then please
# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
# CAN BE USED AT A TIME SO DON’T UNCOMMENT MULTIPLE LINES.
#
# NOTE: The route commands are the least optimal way of blocking
# and do not provide complete protection against UDP attacks and
# will still generate alarms for both UDP and stealth scans. I
# always recommend you use a packet filter because they are made
# for this purpose.
#