Linux PortSentry
# Generic
#KILL_ROUTE=7sbin/route add $TARGET$ 333.444.555.666″
# Generic Linux
#KILL_ROUTE=7sbin/route add -host $TARGET$ gw 333.444.555.666″
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
KILL_ROUTE=”/sbin/route add -host $TARGET$ reject”
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE=”/sbin/route add $TARGET$ 333.444.555.666″
# Generic Sun
#KILL ROUTE=”/usr/sbin/route add $TARGET$ 333.444.555.666 1″
# NEXTSTEP
#KILL_ROUTE=7usr/etc/route add $TARGET$ 127.0.0.1 1″
# FreeBSD (Not well tested.)
#KILL_ROUTE=”route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole”
# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
#KILL_ROUTE=7sbin/route add -host -blackhole $TARGET$ 127.0.0.1″
# Generic HP-UX
#KILL_ROUTE=7usr/sbin/route add net$TARGET$ netmask 255.255.255.0 127.0.0.1″
##
# Using a packet filter is the preferred method. The below lines
# work well on many OS’s. Remember, you can only uncomment *one*
# KILL_ROUTE option.
##
ii ii ii ii ii ii ii ii ii ii iimm
# TCP Wrappers*
ii ii ii ii ii ii ii ii ii ii mm
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY=”ALL:$TARGET$” #
# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all’%’ symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY=”ALL: $TARGET$ : DENY’
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
# External Command#
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
# This is a command that is run when a host connects, it can be whatever
# you want it to be (pager, etc.). This command is executed before the
# route is dropped. I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
# AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
# and people can make scans appear out of thin air. The only time it
# is reasonably safe (and I *never* think it is reasonable) to run
# reverse probe scripts is when using the “classic” -top mode. This
# mode requires a full connect and is very hard to spoof.
#
#KILL_RUN_CMD=7some/path/here/script $TARGET$ $PORT$”
# Scan trigger value#
# Enter in the number of port connects you will allow before an
# alarm is given. The default is 0 which will react immediately.
# A value of 1 or 2 will reduce false alarms. Anything higher is
# probably not necessary. This value must always be specified, but
# generally can be left at 0.
#
# NOTE: If you are using the advanced detection option you need to
# be careful that you don’t make a hair trigger situation. Because
# Advanced mode will react for *any* host connecting to a non-used
# below your specified range, you have the opportunity to really
# break things, (i.e someone innocently tries to connect to you via
# SSL [TCP port 443] and you immediately block them). Some of you
# may even want this though. Just be careful.
#