Publicité
+ Répondre à la discussion
Affichage des résultats 1 à 6 sur 6
  1. #1
    Nouveau Membre du Club
    Profil pro Stephen
    Inscrit en
    mars 2009
    Messages
    96
    Détails du profil
    Informations personnelles :
    Nom : Stephen
    Localisation : France

    Informations forums :
    Inscription : mars 2009
    Messages : 96
    Points : 29
    Points
    29

    Par défaut portsentry ne fonctionne pas

    Bonjour,

    Afin de bloquer les scan de ports, j'ai installé portsentry sur mon serveur.

    Après l'avoir configuré (fichier de config ci-dessous), j'ai testé que cela fonctionnait en faisant un scan de port avec nmap depuis une machine externe à mon réseau. Le scan ne s'est pas fait rejeté (voir résultat ci-dessous).

    Comment bien configuré portsentry pour qu'il soit utile ?

    Résultat du scan avec nmap
    Code :
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
     
    $ sudo nmap -v -PN -p 0-2000,60000 xx.xx.xxx.x
     
    Starting Nmap 5.00 ( http://nmap.org ) at 2012-10-02 15:12 CEST
    NSE: Loaded 0 scripts for scanning.
    Initiating Parallel DNS resolution of 1 host. at 15:12
    Completed Parallel DNS resolution of 1 host. at 15:12, 0.46s elapsed
    Initiating SYN Stealth Scan at 15:12
    Scanning xx.xx.xxx.x.xxx.xxx.xxx (xx.xx.xxx.x) [2002 ports]
    Discovered open port 80/tcp on xx.xx.xxx.x
    Discovered open port 443/tcp on xx.xx.xxx.x
    SYN Stealth Scan Timing: About 2.05% done; ETC: 15:37 (0:24:43 remaining)
    SYN Stealth Scan Timing: About 2.45% done; ETC: 15:53 (0:40:31 remaining)
    ...
    Configuration portsentry
    Code :
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196
    197
    198
    199
    200
    201
    202
    203
    204
    205
    206
    207
    208
    209
    210
    211
    212
    213
    214
    215
    216
    217
    218
    219
    220
    221
    222
    223
    224
    225
    226
    227
    228
    229
    230
    231
    232
    233
    234
    235
    236
    237
    238
    239
    240
    241
    242
    243
    244
    245
    246
    247
    248
    249
    250
    251
    252
    253
    254
    255
    256
    257
    258
    259
    260
    261
    262
    263
    264
    265
    266
    267
    268
    269
    270
    271
    272
    273
    274
    275
    276
    277
    278
    279
    280
    281
    282
    283
    284
    285
    286
    287
    288
    289
    290
    291
    292
    293
    294
    295
    296
    297
    298
    299
    300
    301
     
    # PortSentry Configuration
    #
    # $Id: portsentry.conf.Debian,v 1.6 2001/07/19 21:02:20 agx Exp $
    # 
    # Original portsentry.conf by Craig H. Rowland <crowland@psionic.com>
    # modified for Debian by Guido Guenther <agx@debian.org>
    #
    # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
    # 
    # The default ports will catch a large number of common probes
    #
    # All entries must be in quotes.
     
     
    #######################
    # Port Configurations #
    #######################
    #
    #
    # Some example port configs for classic and basic Stealth modes
    #
    # I like to always keep some ports at the "low" end of the spectrum.
    # This will detect a sequential port sweep really quickly and usually
    # these ports are not in use (i.e. tcpmux port 1)
    #
    # ** X-Windows Users **: If you are running X on your box, you need to be sure
    # you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users). 
    # Doing so will prevent the X-client from starting properly. 
    #
    # These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
    #
     
    # Un-comment these if you are really anal:
    #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
    #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
    #
    # Use these if you just want to be aware:
    TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
    UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
    #
    # Use these for just bare-bones
    #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
    #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
     
    ###########################################
    # Advanced Stealth Scan Detection Options #
    ###########################################
    #
    # This is the number of ports you want PortSentry to monitor in Advanced mode.
    # Any port *below* this number will be monitored. Right now it watches 
    # everything below 1024. 
    # 
    # On many Linux systems you cannot bind above port 61000. This is because
    # these ports are used as part of IP masquerading. I don't recommend you
    # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR 
    # OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
    # warned! Don't write me if you have have a problem because I'll only tell
    # you to RTFM and don't run above the first 1024 ports.
    #
    #
    ADVANCED_PORTS_TCP="1024"
    ADVANCED_PORTS_UDP="1024"
    #
    # This field tells PortSentry what ports (besides listening daemons) to
    # ignore. This is helpful for services like ident that services such 
    # as FTP, SMTP, and wrappers look for but you may not run (and probably 
    # *shouldn't* IMHO). 
    #
    # By specifying ports here PortSentry will simply not respond to
    # incoming requests, in effect PortSentry treats them as if they are
    # actual bound daemons. The default ports are ones reported as 
    # problematic false alarms and should probably be left alone for
    # all but the most isolated systems/networks.
    #
    # Default TCP ident and NetBIOS service
    ADVANCED_EXCLUDE_TCP="113,139"
    # Default UDP route (RIP), NetBIOS, bootp broadcasts.
    ADVANCED_EXCLUDE_UDP="520,138,137,67"
     
     
    ######################
    # Configuration Files#
    ######################
    #
    # Hosts to ignore
    IGNORE_FILE="/etc/portsentry/portsentry.ignore"
    # Hosts that have been denied (running history)
    HISTORY_FILE="/var/lib/portsentry/portsentry.history"
    # Hosts that have been denied this session only (temporary until next restart)
    BLOCKED_FILE="/var/lib/portsentry/portsentry.blocked"
     
    ##############################
    # Misc. Configuration Options#
    ##############################
    #
    # DNS Name resolution - Setting this to "1" will turn on DNS lookups
    # for attacking hosts. Setting it to "0" (or any other value) will shut
    # it off.
    RESOLVE_HOST = "0"
     
    ###################
    # Response Options#
    ###################
    # Options to dispose of attacker. Each is an action that will 
    # be run if an attack is detected. If you don't want a particular
    # option then comment it out and it will be skipped.
    #
    # The variable $TARGET$ will be substituted with the target attacking
    # host when an attack is detected. The variable $PORT$ will be substituted
    # with the port that was scanned. 
    #
    ##################
    # Ignore Options #
    ##################
    # These options allow you to enable automatic response
    # options for UDP/TCP. This is useful if you just want
    # warnings for connections, but don't want to react for  
    # a particular protocol (i.e. you want to block TCP, but
    # not UDP). To prevent a possible Denial of service attack
    # against UDP and stealth scan detection for TCP, you may 
    # want to disable blocking, but leave the warning enabled. 
    # I personally would wait for this to become a problem before
    # doing though as most attackers really aren't doing this.
    # The third option allows you to run just the external command
    # in case of a scan to have a pager script or such execute
    # but not drop the route. This may be useful for some admins
    # who want to block TCP, but only want pager/e-mail warnings
    # on UDP, etc.
    #
    # 
    # 0 = Do not block UDP/TCP scans.
    # 1 = Block UDP/TCP scans.
    # 2 = Run external command only (KILL_RUN_CMD)
     
    BLOCK_UDP="1"
    BLOCK_TCP="1"
     
    ###################
    # Dropping Routes:#
    ###################
    # This command is used to drop the route or add the host into
    # a local filter table. 
    #
    # The gateway (333.444.555.666) should ideally be a dead host on 
    # the *local* subnet. On some hosts you can also point this at
    # localhost (127.0.0.1) and get the same effect. NOTE THAT
    # 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
    #
    # ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
    # uncomment the correct line for your OS. If you OS is not listed
    # here and you have a route drop command that works then please
    # mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
    # CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
    #
    # NOTE: The route commands are the least optimal way of blocking
    # and do not provide complete protection against UDP attacks and
    # will still generate alarms for both UDP and stealth scans. I
    # always recommend you use a packet filter because they are made
    # for this purpose.
    #
     
    # Generic 
    #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
     
    # Generic Linux 
    #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
     
    # Newer versions of Linux support the reject flag now. This 
    # is cleaner than the above option.
    KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
     
    # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
    #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
     
    # Generic Sun 
    #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
     
    # NEXTSTEP
    #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
     
    # FreeBSD
    #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
     
    # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
    #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
     
    # Generic HP-UX
    #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
     
    ##
    # Using a packet filter is the PREFERRED. The below lines
    # work well on many OS's. Remember, you can only uncomment *one*
    # KILL_ROUTE option.
    ##
     
    # ipfwadm support for Linux
    #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
    #
    # ipfwadm support for Linux (no logging of denied packets)
    #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
    #
    # ipchain support for Linux
    #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
    #
    # ipchain support for Linux (no logging of denied packets)
    #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
    #
    # iptables support for Linux
    KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
    #
    # iptables support for Linux with limit and LOG support. Logs only
    # a limited number of packets to avoid a denial of service attack.
    # KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Portsentry: dropping: '"
    #
    # For those of you running FreeBSD (and compatible) you can
    # use their built in firewalling as well. 
    #
    #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
    #
    #
    # For those running ipfilt (OpenBSD, etc.)
    # NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!
    #
    #KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -"
     
     
    ###############
    # TCP Wrappers#
    ###############
    # This text will be dropped into the hosts.deny file for wrappers
    # to use. There are two formats for TCP wrappers:
    #
    # Format One: Old Style - The default when extended host processing
    # options are not enabled.
    #
    #KILL_HOSTS_DENY="ALL: $TARGET$"
     
    # Format Two: New Style - The format used when extended option
    # processing is enabled. You can drop in extended processing
    # options, but be sure you escape all '%' symbols with a backslash
    # to prevent problems writing out (i.e. \%c \%h )
    #
    #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
     
    ###################
    # External Command#
    ###################
    # This is a command that is run when a host connects, it can be whatever
    # you want it to be (pager, etc.). This command is executed before the 
    # route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
    #
    #
    # I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING 
    # YOU!
    #
    # TCP/IP is an *unauthenticated protocol* and people can make scans appear out 
    # of thin air. The only time it is reasonably safe (and I *never* think it is 
    # reasonable) to run reverse probe scripts is when using the "classic" -tcp mode. 
    # This mode requires a full connect and is very hard to spoof.
    #
    # The KILL_RUN_CMD_FIRST value should be set to "1" to force the command 
    # to run *before* the blocking occurs and should be set to "0" to make the 
    # command run *after* the blocking has occurred. 
    #
    #KILL_RUN_CMD_FIRST = "0"
    #
    #
    #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$"
    #####################
    # Scan trigger value#
    #####################
    # Enter in the number of port connects you will allow before an 
    # alarm is given. The default is 0 which will react immediately.
    # A value of 1 or 2 will reduce false alarms. Anything higher is 
    # probably not necessary. This value must always be specified, but
    # generally can be left at 0. 
    #
    # NOTE: If you are using the advanced detection option you need to
    # be careful that you don't make a hair trigger situation. Because
    # Advanced mode will react for *any* host connecting to a non-used 
    # port below your specified range, you have the opportunity to
    # really break things. (i.e someone innocently tries to connect to
    # you via SSL [TCP port 443] and you immediately block them). Some
    # of you may even want this though. Just be careful.
    #
    SCAN_TRIGGER="0"
     
    ######################
    # Port Banner Section#
    ######################
    #
    # Enter text in here you want displayed to a person tripping the PortSentry.
    # I *don't* recommend taunting the person as this will aggravate them.
    # Leave this commented out to disable the feature
    #
    # Stealth scan detection modes don't use this feature
    #
    PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
     
    # EOF
    Merci

  2. #2
    Nouveau Membre du Club
    Profil pro Stephen
    Inscrit en
    mars 2009
    Messages
    96
    Détails du profil
    Informations personnelles :
    Nom : Stephen
    Localisation : France

    Informations forums :
    Inscription : mars 2009
    Messages : 96
    Points : 29
    Points
    29

    Par défaut

    Bonjour,

    Mon soucis est toujours d'actualité. Si quelqu'un a une petite idée, je suis ouvert à toute suggestion.

  3. #3
    Invité de passage
    Homme Profil pro
    Étudiant
    Inscrit en
    juin 2012
    Messages
    6
    Détails du profil
    Informations personnelles :
    Sexe : Homme
    Localisation : France

    Informations professionnelles :
    Activité : Étudiant

    Informations forums :
    Inscription : juin 2012
    Messages : 6
    Points : 3
    Points
    3

  4. #4
    Invité de passage
    Homme Profil pro
    Loisir: serveur linux
    Inscrit en
    décembre 2012
    Messages
    2
    Détails du profil
    Informations personnelles :
    Sexe : Homme
    Localisation : Canada

    Informations professionnelles :
    Activité : Loisir: serveur linux

    Informations forums :
    Inscription : décembre 2012
    Messages : 2
    Points : 2
    Points
    2

    Par défaut Config

    Je crois voir une erreur dans ta config. Tu a 2 kill_route dactiver.

    A la ligne 171, ajoute un # devant le KILL_ROUTE...

    Save, restart portsentry et refait un test.

  5. #5
    Provisoirement toléré
    Inscrit en
    février 2008
    Messages
    469
    Détails du profil
    Informations forums :
    Inscription : février 2008
    Messages : 469
    Points : 81
    Points
    81

    Par défaut

    Citation Envoyé par Steph0 Voir le message
    Bonjour,

    Afin de bloquer les scan de ports, j'ai installé portsentry sur mon serveur.

    Après l'avoir configuré (fichier de config ci-dessous), j'ai testé que cela fonctionnait en faisant un scan de port avec nmap depuis une machine externe à mon réseau. Le scan ne s'est pas fait rejeté (voir résultat ci-dessous).

    Comment bien configuré portsentry pour qu'il soit utile ?

    Résultat du scan avec nmap
    Code :
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
     
    $ sudo nmap -v -PN -p 0-2000,60000 xx.xx.xxx.x
     
    Starting Nmap 5.00 ( http://nmap.org ) at 2012-10-02 15:12 CEST
    NSE: Loaded 0 scripts for scanning.
    Initiating Parallel DNS resolution of 1 host. at 15:12
    Completed Parallel DNS resolution of 1 host. at 15:12, 0.46s elapsed
    Initiating SYN Stealth Scan at 15:12
    Scanning xx.xx.xxx.x.xxx.xxx.xxx (xx.xx.xxx.x) [2002 ports]
    Discovered open port 80/tcp on xx.xx.xxx.x
    Discovered open port 443/tcp on xx.xx.xxx.x
    SYN Stealth Scan Timing: About 2.05% done; ETC: 15:37 (0:24:43 remaining)
    SYN Stealth Scan Timing: About 2.45% done; ETC: 15:53 (0:40:31 remaining)
    ...
    Configuration portsentry
    Code :
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181
    182
    183
    184
    185
    186
    187
    188
    189
    190
    191
    192
    193
    194
    195
    196
    197
    198
    199
    200
    201
    202
    203
    204
    205
    206
    207
    208
    209
    210
    211
    212
    213
    214
    215
    216
    217
    218
    219
    220
    221
    222
    223
    224
    225
    226
    227
    228
    229
    230
    231
    232
    233
    234
    235
    236
    237
    238
    239
    240
    241
    242
    243
    244
    245
    246
    247
    248
    249
    250
    251
    252
    253
    254
    255
    256
    257
    258
    259
    260
    261
    262
    263
    264
    265
    266
    267
    268
    269
    270
    271
    272
    273
    274
    275
    276
    277
    278
    279
    280
    281
    282
    283
    284
    285
    286
    287
    288
    289
    290
    291
    292
    293
    294
    295
    296
    297
    298
    299
    300
    301
     
    # PortSentry Configuration
    #
    # $Id: portsentry.conf.Debian,v 1.6 2001/07/19 21:02:20 agx Exp $
    # 
    # Original portsentry.conf by Craig H. Rowland <crowland@psionic.com>
    # modified for Debian by Guido Guenther <agx@debian.org>
    #
    # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
    # 
    # The default ports will catch a large number of common probes
    #
    # All entries must be in quotes.
     
     
    #######################
    # Port Configurations #
    #######################
    #
    #
    # Some example port configs for classic and basic Stealth modes
    #
    # I like to always keep some ports at the "low" end of the spectrum.
    # This will detect a sequential port sweep really quickly and usually
    # these ports are not in use (i.e. tcpmux port 1)
    #
    # ** X-Windows Users **: If you are running X on your box, you need to be sure
    # you are not binding PortSentry to port 6000 (or port 2000 for OpenWindows users). 
    # Doing so will prevent the X-client from starting properly. 
    #
    # These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
    #
     
    # Un-comment these if you are really anal:
    #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
    #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
    #
    # Use these if you just want to be aware:
    TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
    UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
    #
    # Use these for just bare-bones
    #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
    #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
     
    ###########################################
    # Advanced Stealth Scan Detection Options #
    ###########################################
    #
    # This is the number of ports you want PortSentry to monitor in Advanced mode.
    # Any port *below* this number will be monitored. Right now it watches 
    # everything below 1024. 
    # 
    # On many Linux systems you cannot bind above port 61000. This is because
    # these ports are used as part of IP masquerading. I don't recommend you
    # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR 
    # OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
    # warned! Don't write me if you have have a problem because I'll only tell
    # you to RTFM and don't run above the first 1024 ports.
    #
    #
    ADVANCED_PORTS_TCP="1024"
    ADVANCED_PORTS_UDP="1024"
    #
    # This field tells PortSentry what ports (besides listening daemons) to
    # ignore. This is helpful for services like ident that services such 
    # as FTP, SMTP, and wrappers look for but you may not run (and probably 
    # *shouldn't* IMHO). 
    #
    # By specifying ports here PortSentry will simply not respond to
    # incoming requests, in effect PortSentry treats them as if they are
    # actual bound daemons. The default ports are ones reported as 
    # problematic false alarms and should probably be left alone for
    # all but the most isolated systems/networks.
    #
    # Default TCP ident and NetBIOS service
    ADVANCED_EXCLUDE_TCP="113,139"
    # Default UDP route (RIP), NetBIOS, bootp broadcasts.
    ADVANCED_EXCLUDE_UDP="520,138,137,67"
     
     
    ######################
    # Configuration Files#
    ######################
    #
    # Hosts to ignore
    IGNORE_FILE="/etc/portsentry/portsentry.ignore"
    # Hosts that have been denied (running history)
    HISTORY_FILE="/var/lib/portsentry/portsentry.history"
    # Hosts that have been denied this session only (temporary until next restart)
    BLOCKED_FILE="/var/lib/portsentry/portsentry.blocked"
     
    ##############################
    # Misc. Configuration Options#
    ##############################
    #
    # DNS Name resolution - Setting this to "1" will turn on DNS lookups
    # for attacking hosts. Setting it to "0" (or any other value) will shut
    # it off.
    RESOLVE_HOST = "0"
     
    ###################
    # Response Options#
    ###################
    # Options to dispose of attacker. Each is an action that will 
    # be run if an attack is detected. If you don't want a particular
    # option then comment it out and it will be skipped.
    #
    # The variable $TARGET$ will be substituted with the target attacking
    # host when an attack is detected. The variable $PORT$ will be substituted
    # with the port that was scanned. 
    #
    ##################
    # Ignore Options #
    ##################
    # These options allow you to enable automatic response
    # options for UDP/TCP. This is useful if you just want
    # warnings for connections, but don't want to react for  
    # a particular protocol (i.e. you want to block TCP, but
    # not UDP). To prevent a possible Denial of service attack
    # against UDP and stealth scan detection for TCP, you may 
    # want to disable blocking, but leave the warning enabled. 
    # I personally would wait for this to become a problem before
    # doing though as most attackers really aren't doing this.
    # The third option allows you to run just the external command
    # in case of a scan to have a pager script or such execute
    # but not drop the route. This may be useful for some admins
    # who want to block TCP, but only want pager/e-mail warnings
    # on UDP, etc.
    #
    # 
    # 0 = Do not block UDP/TCP scans.
    # 1 = Block UDP/TCP scans.
    # 2 = Run external command only (KILL_RUN_CMD)
     
    BLOCK_UDP="1"
    BLOCK_TCP="1"
     
    ###################
    # Dropping Routes:#
    ###################
    # This command is used to drop the route or add the host into
    # a local filter table. 
    #
    # The gateway (333.444.555.666) should ideally be a dead host on 
    # the *local* subnet. On some hosts you can also point this at
    # localhost (127.0.0.1) and get the same effect. NOTE THAT
    # 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
    #
    # ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
    # uncomment the correct line for your OS. If you OS is not listed
    # here and you have a route drop command that works then please
    # mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
    # CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
    #
    # NOTE: The route commands are the least optimal way of blocking
    # and do not provide complete protection against UDP attacks and
    # will still generate alarms for both UDP and stealth scans. I
    # always recommend you use a packet filter because they are made
    # for this purpose.
    #
     
    # Generic 
    #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
     
    # Generic Linux 
    #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
     
    # Newer versions of Linux support the reject flag now. This 
    # is cleaner than the above option.
    KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
     
    # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
    #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
     
    # Generic Sun 
    #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
     
    # NEXTSTEP
    #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
     
    # FreeBSD
    #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
     
    # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
    #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
     
    # Generic HP-UX
    #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
     
    ##
    # Using a packet filter is the PREFERRED. The below lines
    # work well on many OS's. Remember, you can only uncomment *one*
    # KILL_ROUTE option.
    ##
     
    # ipfwadm support for Linux
    #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
    #
    # ipfwadm support for Linux (no logging of denied packets)
    #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
    #
    # ipchain support for Linux
    #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
    #
    # ipchain support for Linux (no logging of denied packets)
    #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
    #
    # iptables support for Linux
    KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
    #
    # iptables support for Linux with limit and LOG support. Logs only
    # a limited number of packets to avoid a denial of service attack.
    # KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP && /sbin/iptables -I INPUT -s $TARGET$ -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level DEBUG --log-prefix 'Portsentry: dropping: '"
    #
    # For those of you running FreeBSD (and compatible) you can
    # use their built in firewalling as well. 
    #
    #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
    #
    #
    # For those running ipfilt (OpenBSD, etc.)
    # NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!
    #
    #KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -"
     
     
    ###############
    # TCP Wrappers#
    ###############
    # This text will be dropped into the hosts.deny file for wrappers
    # to use. There are two formats for TCP wrappers:
    #
    # Format One: Old Style - The default when extended host processing
    # options are not enabled.
    #
    #KILL_HOSTS_DENY="ALL: $TARGET$"
     
    # Format Two: New Style - The format used when extended option
    # processing is enabled. You can drop in extended processing
    # options, but be sure you escape all '%' symbols with a backslash
    # to prevent problems writing out (i.e. \%c \%h )
    #
    #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
     
    ###################
    # External Command#
    ###################
    # This is a command that is run when a host connects, it can be whatever
    # you want it to be (pager, etc.). This command is executed before the 
    # route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
    #
    #
    # I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING 
    # YOU!
    #
    # TCP/IP is an *unauthenticated protocol* and people can make scans appear out 
    # of thin air. The only time it is reasonably safe (and I *never* think it is 
    # reasonable) to run reverse probe scripts is when using the "classic" -tcp mode. 
    # This mode requires a full connect and is very hard to spoof.
    #
    # The KILL_RUN_CMD_FIRST value should be set to "1" to force the command 
    # to run *before* the blocking occurs and should be set to "0" to make the 
    # command run *after* the blocking has occurred. 
    #
    #KILL_RUN_CMD_FIRST = "0"
    #
    #
    #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$ $MODE$"
    #####################
    # Scan trigger value#
    #####################
    # Enter in the number of port connects you will allow before an 
    # alarm is given. The default is 0 which will react immediately.
    # A value of 1 or 2 will reduce false alarms. Anything higher is 
    # probably not necessary. This value must always be specified, but
    # generally can be left at 0. 
    #
    # NOTE: If you are using the advanced detection option you need to
    # be careful that you don't make a hair trigger situation. Because
    # Advanced mode will react for *any* host connecting to a non-used 
    # port below your specified range, you have the opportunity to
    # really break things. (i.e someone innocently tries to connect to
    # you via SSL [TCP port 443] and you immediately block them). Some
    # of you may even want this though. Just be careful.
    #
    SCAN_TRIGGER="0"
     
    ######################
    # Port Banner Section#
    ######################
    #
    # Enter text in here you want displayed to a person tripping the PortSentry.
    # I *don't* recommend taunting the person as this will aggravate them.
    # Leave this commented out to disable the feature
    #
    # Stealth scan detection modes don't use this feature
    #
    PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
     
    # EOF
    Merci
    j'ai le même problème prière me donné la solution si vous avez résoudre le problème
    merci d'avance

  6. #6
    Membre du Club
    Inscrit en
    octobre 2009
    Messages
    26
    Détails du profil
    Informations personnelles :
    Âge : 25

    Informations forums :
    Inscription : octobre 2009
    Messages : 26
    Points : 43
    Points
    43

    Par défaut

    La réponse a été donné justement:

    l’instruction "KILL_ROUTE" est utilisée deux fois (ligne 171 et 210).
    commente la ligne 171 avec un # devant la ligne.

Liens sociaux

Règles de messages

  • Vous ne pouvez pas créer de nouvelles discussions
  • Vous ne pouvez pas envoyer des réponses
  • Vous ne pouvez pas envoyer des pièces jointes
  • Vous ne pouvez pas modifier vos messages
  •