################################
# Portsentry 2.0 Configuration #
################################
#
# IMPORTANT: This is the configuration file for Portsentry 2.0
# For an example of the 1.2 configuration, use the 1.2.x branch

#######################
# Port Configurations #
#######################
#
# The ports you want to monitor.
# Any port listed here will trigger an action (defined below) on a connection attempt.
# The ports list must only contain port numbers, separated by commas.
# Range of ports can be specified using a dash. No spaces are allowed.
#
# Note however that Portsentry will automatically exclude any port which is in use by a service on your system.
# If you where to include port 22 (SSH) in the TCP_PORTS list, and you have an SSH server running on your system,
# no action will be taken on any connection attempt to that port.
#
# The default port list is very conservative, only monitoring ports which, arguably,
# should not be in on modern systems. These ports are essentially used to detect attacks
# against older/legacy services as well as catching broad port scans.

TCP_PORTS="1,7,9,11,13,15,17,19,20,21,70,79,111,113,119,389,512-515,540,543-544,873,989,990,992,1080"
UDP_PORTS="7,9,13,19,111,389,513,517-518"

# This list is a bit more aggressive, monitoring ports which are commonly used by attackers and
# include ports which are used by current services. This list will most likely catch more
# enumeration attempts, you might want to manually review some of the more popular services listed here.
# Depending on your circumstances, you might want to use this list instead of the first one.

#TCP_PORTS="1,7,9,11,13,15,17,19,20,21,23,25,37,43,53,79,88,110,111,139,143,161-162,389,445,512-515,540,543-544,873,989,990,992,1090,1812-1813"
#UDP_PORTS="7,9,13,19,37,53,69,111,123,137-138,161-162,389,513,514,517-518,520,1812-1813,2049,5060-5061"

# This list is a catch-all list, monitoring most service ports. A use-case for this list is a jump-host or bastion server

#TCP_PORTS="1-1813"
#
# Skip 53 (DNS), 67 (bootps/bootpc) and 137-138 (netbios) since they are commonly used and might generate false positives
#UDP_PORTS="7-52,54-66,69-136,139-5061"


#######################
# Configuration Files #
#######################
#
# Hosts to ignore (i.e. never block). Each line of this file should contain
# an IP address or a network in CIDR notation. The file is read at startup
# Example:
# 127.0.0.1/32
# NOTE: If no ignore file is specified, no hosts will be ignored.
IGNORE_FILE="/etc/portsentry/portsentry.ignore"

# Log file containing all hosts that have triggered an alert
# although, not necessarily blocked.
# If you don't specify a history file, nothing will be logged
# However, the information contained in the history file is still
# available in stdout or syslog, as specified with the
# --logoutput or -l command line option. If running via systemd, 
# the log output is also available in the journal.
HISTORY_FILE="/var/log/portsentry.log"

# When Portsentry is set to mode 1 or 2 (BLOCK_TCP or BLOCK_UDP is set to 1 or 2), then
# this file will be used as an internal database to keep track of hosts that have been blocked.
# If a host is matched against this file, no action will be taken. This ensures that a host is
# only blocked once.
#
# IMPORTANT:
# Leaving the BLOCKED_FILE empty will will cause Portsentry to always block hosts and/or run the KILL_RUN_CMD.
# Be very careful leaving the BLOCKED_FILE empty as it could cause Portsentry to spam block commands and run the KILL_RUN_CMD often.
#
# NOTE:
# When portsentry is (re)started, no attempt to "re-block" the hosts in this file will be made.
# This means that if you manually remove a blocked host from your system (e.g. using iptables, routes, etc.)
# this file will not reflect the current state of your system and hosts which are in this file but
# not blocked by the system will not be blocked again until the file is removed.
# If you want to re-block all hosts in this file, you will have to remove the file and restart portsentry.
# It is highly recommended that the this file is located in a directory that will be cleared on reboot so that
# portsentry can start with a clean slate.
#
# NOTE:
# If you want to persist blocked hosts across reboots, you should use an external tool such as fail2ban instead
# see the fail2ban directory for configuration files for fail2ban.
BLOCKED_FILE="/tmp/portsentry.blocked"


###############################
# Misc. Configuration Options #
###############################
#
# DNS Name resolution - Setting this to "1" will turn on DNS lookups
# for attacking hosts. Setting it to "0" (or any other value) will shut
# it off. Default is "0".
#
# NOTE: Using DNS resolution can slow down the response time of Portsentry

#RESOLVE_HOST = "0"


####################
# Response Options #
####################
#
# Configure how Portsentry will react to detected connection attempts.
#
# These options allow you to enable automatic response
# options for UDP/TCP. This is useful if you just want
# warnings for connections, but don't want to react for
# a particular protocol (i.e. you want to block TCP, but
# not UDP). To prevent a possible Denial of service attack
# against UDP and stealth scan detection for TCP, you may
# want to disable blocking, but leave the warning enabled.
#
#
# 0 = Do not block UDP/TCP scans
# The detected connection attempt is only logged. This could be useful
# for monitoring purposes or use of an external tool, such as fail2ban.
# This option is the default.
#
# NOTE: It is highly recommended to only log connection attempts
# (by using this option, BLOCK_TCP="0" and BLOCK_UDP="0") and use an
# external tool such as fail2ban to block the attacking host based on
# the log file generated by Portsentry. The reason for this is that
# other tools are more sophisticated. For example, fail2ban will
# persist the blocked host across reboots.
#
#
# 1 = Block UDP/TCP scans.
# This option will block the attacking host after the scan is detected
# using the technique specified in the KILL_ROUTE and/or KILL_HOSTS_DENY
# section below. If KILL_ROUTE is defined, it will run first, followed by
# KILL_HOSTS_DENY if it is set.
# If the KILL_RUN_CMD option is set, the command will also be executed.
#
# NOTE: These options are preserved as a legacy option for those who
# cannot use an external tool to block the attacking host or has some
# specific use-case, where this method is preferred.
#
# 2 = Run external command only (KILL_RUN_CMD)
# This option will only run the external command specified in the KILL_RUN_CMD

#BLOCK_TCP="0"
#BLOCK_UDP="0"


###################
# Dropping Routes #
###################
#
# The KILL_ROUTE option is used to drop blacklist the attacking host.
# This can be done in a number of ways depending on your OS. Below
# are some examples of how to drop the route or use firewall
# tools to block the host.
#
# The string $TARGET$ is replaced with the attacking host.
#
# NOTE:: The route commands are the least optimal way of blocking
# and do not provide complete protection against UDP attacks and
# will still generate alarms for both UDP and stealth scans. I
# always recommend you use a packet filter because they are made
# for this purpose.

# Generic
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# Generic Linux
#KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"

# Newer versions of Linux support the reject flag now. This
# is cleaner than the above option.
#KILL_ROUTE="/sbin/route add -host $TARGET$ reject"

# Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
#KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"

# FreeBSD
#KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"

# iptables support for Linux
#KILL_ROUTE="/usr/local/bin/iptables -I INPUT -s $TARGET$ -j DROP"

# nftables support for Linux
#KILL_ROUTE="nftables add rule ip filter input ip saddr $TARGET$ drop"

# For those of you running FreeBSD (and compatible) firewall
#KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"

# For those running pf (OpenBSD, etc.)
# NOTE THAT YOU NEED TO CHANGE external_interface to a valid interface
#KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/pfctl -f -"


################
# TCP Wrappers #
################
#
# This text will be dropped into the hosts.deny file for wrappers
# to use. There are two formats for TCP wrappers:
#
# Format One: Old Style - The default when extended host processing
# options are not enabled.
#
#KILL_HOSTS_DENY="ALL: $TARGET$"

# Format Two: New Style - The format used when extended option
# processing is enabled. You can drop in extended processing
# options, but be sure you escape all '%' symbols with a backslash
# to prevent problems writing out (i.e. \%c \%h )
#
#KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"


####################
# External Command #
####################
# This is a command that is run when a host connects, it can be whatever
# you want it to be (pager, etc.). This command is executed before the
# route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
#
# The KILL_RUN_CMD_FIRST value should be set to "1" to force the command
# to run *before* the blocking occurs and should be set to "0" to make the
# command run *after* the blocking has occurred.
#
#KILL_RUN_CMD_FIRST = "0"
#
#KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"


######################
# Scan trigger value #
######################
# Enter in the number of port connects you will allow before an
# alarm is given. The default is 0, which will react immediately.
#
#SCAN_TRIGGER="0"

#######################
# Port Banner Section #
#######################
#
# If Portsentry is used in "connect" mode (starting Portsentry with the --connect option),
# you can specify a banner to be displayed to the connecting host. Once the banner is displayed,
# the connection will be closed.
#
#PORT_BANNER="*** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED."