I have a few questions about portsentry on Eigersteinbeta2. The firewall
runs on an old 486DX266 with 16MB of RAM and works beautifully (all fans
disabled BTW):
1) Currently when I boot the LRP box the psentry process(es) should init
last but usually don't run. I always get a "no more processes at this
runlevel" message. Usually this happens before either psentry process
starts, sometimes one does get to run. I always have to remember to boot,
then once its up do a "/etc/init.d/psentry restart:
# ./psentry restart
/usr/sbin/portsentry -stcp started pid [1312]
/usr/sbin/portsentry -udp started pid [1337]
This always works and two psentry processes begin, one each for TCP and UDP.
Any idea on how to make psentry boot fully without user interaction? What
can cause the "no more processes..." message?
2) When I do a port scan for example from www.vulnerabilities.org, my logs
fill up with deny's that eventually overflow my ramdisk. Here's what the
/var/psentry/history log shows:
"995052400 - 07/13/2001 13:26:40 Host: www.vulnerabilities.org/199.78.61.254
Port: 1524 TCP Blocked"
The issue appears to be that psentry didn't block the scanner until port
1524 was tried. I have selected the anal port config in portsentry.conf.
These are:
# Un-comment these if you are really anal:
TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,
540,
635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,3030
3,32
771,32772,32773,32774,31337,40421,40425,49724,54320"
UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641
,666
,700,2049,32770,32771,32772,32773,32774,31337,54321"
As you can see portsentry is monitoring ports below 1524. My kill route
command from portsentry.conf is:
# New ipchain support for Linux kernel version 2.102+
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
Since it does not have the -l at the end I believe it should not log once
portsentry detects the scan. During the scan weblet shows the hundreds of
log events building up for the various ports. So my question is how can I
have psentry detect the scan sooner so it can add the ipchain rule to stop
logging all of the scans? At some point during the scan weblet gets really
screwed up and I can't even look at the logs probably because of memory
being full.
3) I want to get an email if psentry detects a scan. Right now scanning
kills the firewall so I can't test this but does the following kill command
look reasonable?
KILL_RUN_CMD="mail -s "Portsentry Attack from:$TARGET$" [EMAIL PROTECTED]
< /var/log/daemon.log"
The mail command does work from the command line.
Any suggestions/comments regarding the above would be much appreciated as
usual.
Thanks!
Paul Rimmer
Calgary, Alberta, Canada
Here's a snippet from syslog showing the psentry init problem. It shows the
one psentry process followed by the two starting after I manually do a
/etc/init.d psentry restart:
Jul 13 13:55:45 LRP syslogd 1.3-3#31: restart.
Jul 13 13:55:45 LRP kernel: klogd 1.3-3#31, log source = /proc/kmsg started.
Jul 13 13:55:46 LRP kernel: Cannot find map file.
Jul 13 13:55:46 LRP kernel: Loaded 8 symbols from 14 modules.
Jul 13 13:55:46 LRP kernel: Linux version 2.2.16 (root@debian) (gcc version
2.7.2.3) #1 Sun Jun 11 11:33:38 CDT 2000
Jul 13 13:55:46 LRP kernel: Calibrating delay loop... 33.18 BogoMIPS
Jul 13 13:55:46 LRP kernel: Memory: 13924k/16384k available (800k kernel
code, 416k reserved, 452k data, 40k init)
Jul 13 13:55:46 LRP kernel: Dentry hash table entries: 2048 (order 2, 16k)
Jul 13 13:55:46 LRP kernel: Buffer cache hash table entries: 16384 (order 4,
64k)
Jul 13 13:55:46 LRP kernel: Page cache hash table entries: 4096 (order 2,
16k)
Jul 13 13:55:46 LRP kernel: CPU: Intel 486 DX/2 stepping 06
Jul 13 13:55:46 LRP kernel: Checking 386/387 coupling... OK, FPU using
exception 16 error reporting.
Jul 13 13:55:46 LRP kernel: Checking 'hlt' instruction... OK.
Jul 13 13:55:46 LRP kernel: POSIX conformance testing by UNIFIX
Jul 13 13:55:46 LRP kernel: PCI: No PCI bus detected
Jul 13 13:55:46 LRP kernel: Linux NET4.0 for Linux 2.2
Jul 13 13:55:46 LRP kernel: Based upon Swansea University Computer Society
NET3.039
Jul 13 13:55:46 LRP kernel: NET4: Unix domain sockets 1.0 for Linux NET4.0.
Jul 13 13:55:46 LRP kernel: NET4: Linux TCP/IP 1.0 for NET4.0
Jul 13 13:55:46 LRP kernel: IP Protocols: ICMP, UDP, TCP, IGMP
Jul 13 13:55:46 LRP kernel: TCP: Hash tables configured (ehash 16384 bhash
16384)
Jul 13 13:55:46 LRP kernel: Linux IP multicast router 0.06 plus PIM-SM
Jul 13 13:55:46 LRP kernel: Initializing RT netlink socket
Jul 13 13:55:46 LRP kernel: Starting kswapd v 1.5
Jul 13 13:55:46 LRP kernel: Serial driver version 4.27 with MANY_PORTS
MULTIPORT SHARE_IRQ enabled
Jul 13 13:55:46 LRP kernel: Software Watchdog Timer: 0.05, timer margin: 60
sec
Jul 13 13:55:46 LRP kernel: Real Time Clock Driver v1.09
Jul 13 13:55:46 LRP kernel: Keyboard timeout[2]
Jul 13 13:55:46 LRP kernel: Keyboard timeout[2]
Jul 13 13:55:46 LRP kernel: RAM disk driver initialized: 16 RAM disks of
6144K size
Jul 13 13:55:46 LRP kernel: Floppy drive(s): fd0 is 1.44M
Jul 13 13:55:46 LRP kernel: FDC 0 is an 8272A
Jul 13 13:55:46 LRP kernel: NET4: Ethernet Bridge 007 for NET4.0
Jul 13 13:55:46 LRP kernel: early initialization of device brg0 is deferred
Jul 13 13:55:46 LRP kernel: brg0: network interface for Ethernet Bridge
007/NET4.0
Jul 13 13:55:46 LRP kernel: brg0: generated MAC address FE:FD:0F:21:51:F5
Jul 13 13:55:46 LRP kernel: brg0: attached to bridge instance 0
Jul 13 13:55:46 LRP kernel: RAMDISK: Compressed image found at block 0
Jul 13 13:55:46 LRP kernel: RAMDISK: Uncompressing root archive: done.
Jul 13 13:55:46 LRP kernel: RAMDISK: Auto Filesystem - minix: 2048i 6144bk
68fdz(68) 1024zs 2147483647ms
Jul 13 13:55:46 LRP kernel: VFS: Mounted root (minix filesystem).
Jul 13 13:55:46 LRP kernel: RAMDISK: Extracting root archive: done.
Jul 13 13:55:46 LRP kernel: VFS: Disk change detected on device fd(2,44)
Jul 13 13:55:46 LRP kernel: Freeing unused kernel memory: 40k freed
Jul 13 13:55:46 LRP kernel: Warning: unable to open an initial console.
Jul 13 13:55:46 LRP kernel: eth0: 3c509 at 0x220 tag 1, 10baseT port,
address 00 50 04 19 42 49, IRQ 10.
Jul 13 13:55:46 LRP kernel: 3c509.c:1.16 (2.2) 2/3/98
[EMAIL PROTECTED]
Jul 13 13:55:46 LRP kernel: ne.c:v1.10 9/23/94 Donald Becker
([EMAIL PROTECTED])
Jul 13 13:55:46 LRP kernel: NE*000 ethercard probe at 0x320: 00 00 b4 80 b9
ef
Jul 13 13:55:46 LRP kernel: eth1: NE2000 found at 0x320, using IRQ 9.
Jul 13 13:55:46 LRP kernel: ip_masq_icq: using TCP port range 60200-61000
Jul 13 13:55:46 LRP kernel: ip_masq_icq: loaded support on port 4000/UDP
Jul 13 13:55:46 LRP sshd[832]: Server listening on 0.0.0.0 port 22.
Jul 13 13:55:46 LRP sshd[832]: Generating 768 bit RSA key.
Jul 13 13:55:47 LRP /usr/sbin/cron[838]: (CRON) STARTUP (fork ok)
Jul 13 13:55:47 LRP dhcpd: Internet Software Consortium DHCP Server 2.0pl5
Jul 13 13:55:47 LRP dhcpd: Copyright 1995, 1996, 1997, 1998, 1999 The
Internet Software Consortium.
Jul 13 13:55:47 LRP dhcpd: All rights reserved.
Jul 13 13:55:47 LRP dhcpd:
Jul 13 13:55:47 LRP dhcpd: Please contribute if you find this software
useful.
Jul 13 13:55:47 LRP dhcpd: For info, please visit
http://www.isc.org/dhcp-contrib.html
Jul 13 13:55:47 LRP dhcpd:
Jul 13 13:55:47 LRP dhcpd: Listening on
LPF/eth1/00:00:b4:80:b9:ef/192.168.1.0
Jul 13 13:55:48 LRP dhcpd: Sending on
LPF/eth1/00:00:b4:80:b9:ef/192.168.1.0
Jul 13 13:55:48 LRP dhcpd: Sending on Socket/fallback/fallback-net
Jul 13 13:55:49 LRP dhclient: Internet Software Consortium DHCP Client
2.0pl5
Jul 13 13:55:49 LRP dhclient: Copyright 1995, 1996, 1997, 1998, 1999 The
Internet Software Consortium.
Jul 13 13:55:49 LRP dhclient: All rights reserved.
Jul 13 13:55:49 LRP dhclient:
Jul 13 13:55:49 LRP dhclient: Please contribute if you find this software
useful.
Jul 13 13:55:49 LRP dhclient: For info, please visit
http://www.isc.org/dhcp-contrib.html
Jul 13 13:55:49 LRP dhclient:
Jul 13 13:55:54 LRP dhclient: Listening on LPF/eth0/00:50:04:19:42:49
Jul 13 13:55:54 LRP dhclient: Sending on LPF/eth0/00:50:04:19:42:49
Jul 13 13:55:54 LRP dhclient: Sending on Socket/fallback/fallback-net
Jul 13 13:55:54 LRP dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port
67 interval 8
Jul 13 13:55:56 LRP sshd[832]: RSA key generation complete.
Jul 13 13:56:02 LRP dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port
67 interval 9
Jul 13 13:56:02 LRP dhclient: DHCPOFFER from a.b.c.d
Jul 13 13:56:05 LRP dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67
Jul 13 13:56:06 LRP dhclient: DHCPACK from a.b.c.d
Jul 13 13:56:08 LRP kernel: eth0: Setting Rx mode to 1 addresses.
Jul 13 13:56:16 LRP dhclient: bound to w.x.y.z -- renewal in 86400 seconds.
Jul 13 13:56:19 LRP init: no more processes left in this runlevel
Jul 13 14:00:00 LRP /USR/SBIN/CRON[1166]: (root) CMD (/etc/multicron-p)
Jul 13 14:03:38 LRP sh-httpd[1170]: connect from 192.168.1.7
Jul 13 14:03:51 LRP sh-httpd[1217]: connect from 192.168.1.7
Jul 13 14:05:49 LRP sshd[1278]: Accepted password for ROOT from 192.168.1.7
port 1492
Jul 13 14:06:00 LRP sshd[1278]: Could not reverse map address 192.168.1.7.
Jul 13 14:06:24 LRP portsentry[1311]: adminalert: Psionic PortSentry 1.0 is
starting.
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 1
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 11
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 15
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 79
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 111
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 119
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 143
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 540
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 635
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 1080
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 1524
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 2000
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 5742
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 6667
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 12345
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 12346
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 20034
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 31337
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 32771
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 32772
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 32773
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 32774
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 40421
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 49724
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: Going into stealth listen
mode on TCP port: 54320
Jul 13 14:06:24 LRP portsentry[1312]: adminalert: PortSentry is now active
and listening.
Jul 13 14:06:27 LRP portsentry[1336]: adminalert: Psionic PortSentry 1.0 is
starting.
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 1
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 7
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 9
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 69
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 161
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 162
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 513
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 635
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 640
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 641
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 700
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 32770
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 32771
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 32772
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 32773
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 32774
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 31337
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: Going into listen mode on
UDP port: 54321
Jul 13 14:06:27 LRP portsentry[1337]: adminalert: PortSentry is now active
and listening.
Jul 13 14:07:20 LRP sh-httpd[1350]: connect from 192.168.1.7
And here's my portsentry.conf file:
# PortSentry Configuration
#
# $Id: portsentry.conf,v 1.13 1999/11/09 02:45:42 crowland Exp crowland $
#
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
#
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.
#######################
# Port Configurations #
#######################
#
#
# Some example port configs for classic and basic Stealth modes
#
# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be
sure
# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows
users).
# Doing so will prevent the X-client from starting properly.
#
# These port bindings are *ignored* for Advanced Stealth Scan Detection
Mode.
#
# Un-comment these if you are really anal:
TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,
540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,
30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641
,666,700,2049,32770,32771,32772,32773,32774,31337,54321"
#
# Use these if you just want to be aware:
#TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12
346,20034,31337,32771,32772,32773,32774,40421,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,327
74,31337,54321"
#
# Use these for just bare-bones
#TCP_PORTS="1,11,15,110,111,143,540,635,1080,524,2000,12345,12346,20034,3277
1,32772,32773,32774,49724,54320"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337
,54321"
###########################################
# Advanced Stealth Scan Detection Options #
###########################################
#
# This is the number of ports you want PortSentry to monitor in Advanced
mode.
# Any port *below* this number will be monitored. Right now it watches
# everything below 1023.
#
# On many Linux systems you cannot bind above port 61000. This is because
# these ports are used as part of IP masquerading. I don't recommend you
# bind over this number of ports. Realistically: I DON'T RECOMMEND YOU
MONITOR
# OVER 1023 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE.
You've been
# warned! Don't write me if you have have a problem because I'll only tell
# you to RTFM and don't run above the first 1023 ports.
#
#
ADVANCED_PORTS_TCP="1023"
ADVANCED_PORTS_UDP="1023"
#
# This field tells PortSentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such
# as FTP, SMTP, and wrappers look for but you may not run (and probably
# *shouldn't* IMHO).
#
# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons. The default ports are ones reported as
# problematic false alarms and should probably be left alone for
# all but the most isolated systems/networks.
#
# Default TCP ident and NetBIOS service
ADVANCED_EXCLUDE_TCP="113,139"
# Default UDP route (RIP), NetBIOS, bootp broadcasts.
ADVANCED_EXCLUDE_UDP="520,138,137,67"
######################
# Configuration Files#
######################
#
# Hosts to ignore
IGNORE_FILE="/var/psentry/ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/var/psentry/history"
# Hosts that have been denied this session only (temporary until next
restart)
BLOCKED_FILE="/var/psentry/blocked"
###################
# Response Options#
###################
# Options to dispose of attacker. Each is an action that will
# be run if an attack is detected. If you don't want a particular
# option then comment it out and it will be skipped.
#
# The variable $TARGET$ will be substituted with the target attacking
# host when an attack is detected. The variable $PORT$ will be substituted
# with the port that was scanned.
#
##################
# Ignore Options #
##################
# These options allow you to enable automatic response
# options for UDP/TCP. This is useful if you just want
# warnings for connections, but don't want to react for
# a particular protocol (i.e. you want to block TCP, but
# not UDP). To prevent a possible Denial of service attack
# against UDP and stealth scan detection for TCP, you may
# want to disable blocking, but leave the warning enabled.
# I personally would wait for this to become a problem before
# doing though as most attackers really aren't doing this.
# The third option allows you to run just the external command
# in case of a scan to have a pager script or such execute
# but not drop the route. This may be useful for some admins
# who want to block TCP, but only want pager/e-mail warnings
# on UDP, etc.
#
#
# 0 = Do not block UDP/TCP scans.
# 1 = Block UDP/TCP scans.
# 2 = Run external command only (KILL_RUN_CMD)
BLOCK_UDP="1"
BLOCK_TCP="1"
###################
# Dropping Routes:#
###################
# This command is used to drop the route or add the host into
# a local filter table.
#
# The gateway (333.444.555.666) should ideally be a dead host on
# the *local* subnet. On some hosts you can also point this at
# localhost (127.0.0.1) and get the same effect. NOTE THAT
# 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
#
# All KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
# uncomment the correct line for your OS. If you OS is not listed
# here and you have a route drop command that works then please
# mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
# CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
#
# NOTE: The route commands are the least optimal way of blocking
# and do not provide complete protection against UDP attacks and
# will still generate alarms for both UDP and stealth scans. I
# always recommend you use a packet filter because they are made
# for this purpose.
#
# Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
# Generic Sun
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
# NEXTSTEP
#KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
# FreeBSD (Not well tested.)
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255
127.0.0.1 -blackhole"
# Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
#KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
# Generic HP-UX
#KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0
127.0.0.1"
##
# Using a packet filter is the preferred method. The below lines
# work well on many OS's. Remember, you can only uncomment *one*
# KILL_ROUTE option.
##
# For those of you running Linux with ipfwadm installed you may like
# this better as it drops the host into the packet filter.
# You can only have one KILL_ROUTE turned on at a time though.
# This is the best method for Linux hosts.
#
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
#
# This version does not log denied packets after activation
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
#
# New ipchain support for Linux kernel version 2.102+
KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
#
# For those of you running FreeBSD (and compatible) you can
# use their built in firewalling as well.
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
###############
# TCP Wrappers#
###############
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY="ALL: $TARGET$"
#
# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all '%' symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
###################
# External Command#
###################
# This is a command that is run when a host connects, it can be whatever
# you want it to be (pager, etc.). This command is executed before the
# route is dropped. I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS
# AGAINST THE HOST SCANNING YOU. TCP/IP is an *unauthenticated protocol*
# and people can make scans appear out of thin air. The only time it
# is reasonably safe (and I *never* think it is reasonable) to run
# reverse probe scripts is when using the "classic" -tcp mode. This
# mode requires a full connect and is very hard to spoof.
#
KILL_RUN_CMD="mail -s "Portsentry Attack from:$TARGET$" [EMAIL PROTECTED]
< /var/log/daemon.log"
#####################
# Scan trigger value#
#####################
# Enter in the number of port connects you will allow before an
# alarm is given. The default is 0 which will react immediately.
# A value of 1 or 2 will reduce false alarms. Anything higher is
# probably not necessary. This value must always be specified, but
# generally can be left at 0.
#
# NOTE: If you are using the advanced detection option you need to
# be careful that you don't make a hair trigger situation. Because
# Advanced mode will react for *any* host connecting to a non-used
# below your specified range, you have the opportunity to really
# break things. (i.e someone innocently tries to connect to you via
# SSL [TCP port 443] and you immediately block them). Some of you
# may even want this though. Just be careful.
#
SCAN_TRIGGER="0"
######################
# Port Banner Section#
######################
#
# Enter text in here you want displayed to a person tripping the PortSentry.
# I *don't* recommend taunting the person as this will aggravate them.
# Leave this commented out to disable the feature
#
# Stealth scan detection modes don't use this feature
#
#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT
HAS BEEN LOGGED. GO AWAY."
# EOF
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
