Configuration for Sentry

portsentry.conf file rc.local additions






portsentry.conf 

# PortSentry Configuration
#
# $Id: tips-sentry_config.html,v 1.1.1.1 2001/10/12 07:29:11 arudys Exp $
#
# IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
# 
# The default ports will catch a large number of common probes
#
# All entries must be in quotes.


#######################
# Port Configurations #
#######################
#
#
# Some example port configs for classic and basic Stealth modes
#
# I like to always keep some ports at the "low" end of the spectrum.
# This will detect a sequential port sweep really quickly and usually
# these ports are not in use (i.e. tcpmux port 1)
#
# ** X-Windows Users **: If you are running X on your box, you need to be sure
# you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users). 
# Doing so will prevent the X-client from starting properly. 
#
# These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
#

# Un-comment these if you are really anal:

# Note: Some of these ports are necessary for running X-Windows and other 
# programs, e.g., 6000. Unless you're really sure that everyone is trying
# to get you, I would use the port lists after these two.

#TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,2001,4000,4001,6001,6667,32771,32772,32773,32774,31337,49724"
#UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,32770,32771,32772,32773,32774"
#
# Use these if you just want to be aware:

# Don't be fooled: these ports are practically enough.  They've reduced my
# break-ins to nothing (at least I think nothing :), since they stop the
# barbarians at the gate.  It is especially effective against sequential
# port scanners, which a large part of the populace use to check what
# daemons they can exploit on a given machine.

TCP_PORTS="1,11,15,79,119,143,540,2000,6667,31337,32771,32772,32773,32774,49724"
UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,32770,32771,32772,32773,32774"
#
# Use these for just bare-bones

# Like the author says, bare bones

#TCP_PORTS="1,11,15,143,540,2000,32771,32772,32773,32774,49724"
#UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774"

###########################################
# Advanced Stealth Scan Detection Options #
###########################################
#
# This is the number of ports you want PortSentry to monitor in Advanced mode.
# Any port *below* this number will be monitored. Right now it watches 
# everything below 1024. If you feel adventurous, you can bump this number
# up to the maximum (65535) and monitor every port on your host. 
# I have run into a problem on RedHat 5.0 where you cannot bind to ports
# above 61000. Until I find a resolution to this, I do not recommend you
# bind over this number of ports. 
#
# Because of the "Smart Verify" feature of PortSentry, this will work even
# with protocols such as FTP that may have incoming connections to the
# protected host.
#
# THIS IS AN EXPERIMENTAL FUNCTION. USE DISCRETION.
#

# It's best to leave this as is.  I haven't had problems yet.

ADVANCED_PORTS_TCP="1024"
ADVANCED_PORTS_UDP="1024"
#
# This field tells PortSentry what ports (besides listening daemons) to
# ignore. This is helpful for services like ident that services such 
# as FTP, SMTP, and wrappers look for but you may not run (and probably 
# *shouldn't* IMHO). 
#
# By specifying ports here PortSentry will simply not respond to
# incoming requests, in effect PortSentry treats them as if they are
# actual bound daemons.
#

# Hmm, well, I think I'll be removing 21 now that Owlnet blocks access to
# those ports.  If you want other ports to be open and unchecked, this is
# the place.  Of course, at the moment, I'm not running an ftp daemon, so
# it doesn't make a whole lot of difference to me, but you might want to
# tailor it to your tastes/security needs.

# Default TCP ident service
ADVANCED_EXCLUDE_TCP="113,21"
# Default UDP route (RIP) broadcasts and NetBIOS
ADVANCED_EXCLUDE_UDP="520,137"


######################
# Configuration Files#
######################
#
# Hosts to ignore
IGNORE_FILE="/usr/local/abacus/portsentry.ignore"
# Hosts that have been denied (running history)
HISTORY_FILE="/usr/local/abacus/portsentry.history"
# Hosts that have been denied this session only (temporary until next restart)
BLOCKED_FILE="/usr/local/abacus/portsentry.blocked"

###################
# Response Options#
###################
# Options to dispose of attacker. Each is an action that will 
# be run if an attack is detected. If you don't want a particular
# option then comment it out and it will be skipped.
#
# The variable $TARGET$ will be substituted with the target attacking
# host when an attack is detected. 
#
##################
# Ignore Options #
##################
# These options allow you to enable automatic response
# options for UDP/TCP. This is useful if you just want
# warnings for connections, but don't want to react for  
# a particular protocol (i.e. you want to block TCP, but
# not UDP). To prevent a possible Denial of service attack
# against UDP and stealth scan detection for TCP, you may 
# want to disable blocking, but leave the warning enabled. 
# I personally would wait for this to become a problem before
# doing though as most attackers really aren't that saavy.
#
# 
# 0 = Do not block UDP/TCP scans.
# 1 = Do block UDP/TCP scans.

BLOCK_UDP="1"
BLOCK_TCP="1"

###################
# Dropping Routes:#
###################
# This command is used to drop the route or add the host into
# a local filter table. 
#
# The gateway (333.444.555.666) should ideally be a dead host on 
# the *local* subnet. On some hosts you can also point this at
# localhost (127.0.0.1) and get the same effect. 
#

# Generic 
KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Linux 
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

# Generic BSD (BSDI)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Sun 
#KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"

# NEXTSTEP
#/usr/etc/route add $TARGET$ 127.0.0.1 1


# For those of you running Linux with ipfwadm installed you may like
# this better as it drops the host into the packet filter.
# You can only have one KILL_ROUTE turned on at a time though.
# This is the best method for Linux hosts.
#
#KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
#
# New ipchain support for Linux kernel version 2.102+ (not well tested)
#KILL_ROUTE="/sbin/ipchains -A input -s $TARGET$ -j DENY -l"
#
# For those of you running FreeBSD (and compatible) you can
# use their built in firewalling as well. 
#
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"

###############
# TCP Wrappers#
###############
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
KILL_HOSTS_DENY="ALL: $TARGET$"
#
# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all '%' symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"

###################
# External Command#
###################
# This is a command that is run when a host connects, it can be whatever
# you want it to be (pager, etc.). This command is executed before the 
# route is dropped. Try not to be too nasty OK?
#

# Really.  Being nasty only riles crackers up, and then they find new
# accounts to assault your box with the newfound knowledge that port scans
# won't work.  If they just lose connection, they may just give up.  There
# are a lot of insecure boxes out there with better connections than
# yours.

#KILL_RUN_CMD="/some/path/here/pagerscript $TARGET$"


#####################
# Scan trigger value#
#####################
# Enter in the number of port connects you will allow before an 
# alarm is given. The default is 0 which will react immediately.
# A value of 1 or 2 will reduce false alarms. Anything higher is 
# probably not necessary. This value must always be specified, but
# generally can be left at 0. 
#
# NOTE: If you are using the advanced detection option you need to
# be careful that you don't make a hair trigger situation. Because
# Advanced mode will react for *any* host connecting to a non-used
# below your specified range, you have the opportunity to really 
# break things. (i.e someone innocently tries to connect to you via 
# SSL [TCP port 443] and you immediately block them). Some of you
# may even want this though. Just be careful.
#

SCAN_TRIGGER="0"

######################
# Port Banner Section#
######################
#
# Enter text in here you want displayed to a person tripping the PortSentry.
# I *don't* recommend taunting the person as this will aggravate them.
# Leave this commented out to disable the feature
#
# Stealth scan detection modes don't use this feature
#
#PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** Administrators alerted to your connection. Go Away."


# EOF
rc.local additions 
Put these commands in your /etc/rc.local file to run them on start up.
Note that the path is whatever you install it to.  It doesn't have to be
/usr/local/abacus.

	/usr/local/abacus/portsentry -tcp # normal tcp protection
	/usr/local/abacus/portsentry -udp # normal udp protection

	/usr/local/abacus/portsentry -stcp # stealth tcp detection
	/usr/local/abacus/portsentry -sudp # stealth udp detection

I don't run the advanced option b/c frankly, I haven't gotten it to work
quite yet without causing problems with other things.  It's not all that
necessary - my box is reasonably secure without it - so it's up to you
whether or not you want to use the -atcp and -audp switches.

These services all run as daemons, so you don't need to use the "&" marker
after the command.  The commands are good as is for any box.