Profile
Kalasag is an Open Source port scan detection and response tool for Unix and Unix-like operating systems such as Linux. It is based on Psionic Portsentry, which was written by Craig Rowland in 2000 and re-released under a Common Public License by Cisco in 2002.
Navigation
Git
This blob has been accessed 353 times via Git panel.

  1. # Kalasag Configuration
  2. #
  3. # IMPORTANT NOTE: You CAN NOT put spaces between your port arguments.
  4. #
  5. # The default ports will catch a large number of common probes
  6. #
  7. # All entries must be in quotes.
  8.  
  9.  
  10. #######################
  11. # Port Configurations #
  12. #######################
  13. #
  14. #
  15. # Some example port configs for classic and basic Stealth modes
  16. #
  17. # I like to always keep some ports at the "low" end of the spectrum.
  18. # This will detect a sequential port sweep really quickly and usually
  19. # these ports are not in use (i.e. tcpmux port 1)
  20. #
  21. # ** X-Windows Users **: If you are running X on your box, you need to be sure
  22. # you are not binding Kalasag to port 6000 (or port 2000 for OpenWindows users).
  23. # Doing so will prevent the X-client from starting properly.
  24. #
  25. # These port bindings are *ignored* for Advanced Stealth Scan Detection Mode.
  26. #
  27.  
  28. # Un-comment these if you are really anal:
  29. #TCP_PORTS="1,7,9,11,15,70,79,80,109,110,111,119,138,139,143,512,513,514,515,540,635,1080,1524,2000,2001,4000,4001,5742,6000,6001,6667,12345,12346,20034,27665,30303,32771,32772,32773,32774,31337,40421,40425,49724,54320"
  30. #UDP_PORTS="1,7,9,66,67,68,69,111,137,138,161,162,474,513,517,518,635,640,641,666,700,2049,31335,27444,34555,32770,32771,32772,32773,32774,31337,54321"
  31. #
  32. # Use these if you just want to be aware:
  33. TCP_PORTS="1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724,54320"
  34. UDP_PORTS="1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"
  35. #
  36. # Use these for just bare-bones
  37. #TCP_PORTS="1,11,15,110,111,143,540,635,1080,1524,2000,12345,12346,20034,32771,32772,32773,32774,49724,54320"
  38. #UDP_PORTS="1,7,9,69,161,162,513,640,700,32770,32771,32772,32773,32774,31337,54321"
  39.  
  40. ###########################################
  41. # Advanced Stealth Scan Detection Options #
  42. ###########################################
  43. #
  44. # This is the number of ports you want Kalasag to monitor in Advanced mode.
  45. # Any port *below* this number will be monitored. Right now it watches
  46. # everything below 1024.
  47. #
  48. # On many Linux systems you cannot bind above port 61000. This is because
  49. # these ports are used as part of IP masquerading. I don't recommend you
  50. # bind over this number of ports. Realistically: I DON'T RECOMMEND YOU MONITOR
  51. # OVER 1024 PORTS AS YOUR FALSE ALARM RATE WILL ALMOST CERTAINLY RISE. You've been
  52. # warned! Don't write me if you have have a problem because I'll only tell
  53. # you to RTFM and don't run above the first 1024 ports.
  54. #
  55. #
  56. ADVANCED_PORTS_TCP="1024"
  57. ADVANCED_PORTS_UDP="1024"
  58. #
  59. # This field tells Kalasag what ports (besides listening daemons) to
  60. # ignore. This is helpful for services like ident that services such
  61. # as FTP, SMTP, and wrappers look for but you may not run (and probably
  62. # *shouldn't* IMHO).
  63. #
  64. # By specifying ports here Kalasag will simply not respond to
  65. # incoming requests, in effect Kalasag treats them as if they are
  66. # actual bound daemons. The default ports are ones reported as
  67. # problematic false alarms and should probably be left alone for
  68. # all but the most isolated systems/networks.
  69. #
  70. # Default TCP ident and NetBIOS service
  71. ADVANCED_EXCLUDE_TCP="113,139"
  72. # Default UDP route (RIP), NetBIOS, bootp broadcasts.
  73. ADVANCED_EXCLUDE_UDP="520,138,137,67"
  74.  
  75.  
  76. ######################
  77. # Configuration Files#
  78. ######################
  79. #
  80. # Hosts to ignore
  81. IGNORE_FILE="/opt/kalasag/kalasag.ignore"
  82. # Hosts that have been denied (running history)
  83. HISTORY_FILE="/opt/kalasag/kalasag.history"
  84. # Hosts that have been denied this session only (temporary until next restart)
  85. BLOCKED_FILE="/opt/kalasag/kalasag.blocked"
  86.  
  87. ##############################
  88. # Misc. Configuration Options#
  89. ##############################
  90. #
  91. # DNS Name resolution - Setting this to "1" will turn on DNS lookups
  92. # for attacking hosts. Setting it to "0" (or any other value) will shut
  93. # it off.
  94. RESOLVE_HOST = "1"
  95.  
  96. ###################
  97. # Response Options#
  98. ###################
  99. # Options to dispose of attacker. Each is an action that will
  100. # be run if an attack is detected. If you don't want a particular
  101. # option then comment it out and it will be skipped.
  102. #
  103. # The variable $TARGET$ will be substituted with the target attacking
  104. # host when an attack is detected. The variable $PORT$ will be substituted
  105. # with the port that was scanned.
  106. #
  107. ##################
  108. # Ignore Options #
  109. ##################
  110. # These options allow you to enable automatic response
  111. # options for UDP/TCP. This is useful if you just want
  112. # warnings for connections, but don't want to react for  
  113. # a particular protocol (i.e. you want to block TCP, but
  114. # not UDP). To prevent a possible Denial of service attack
  115. # against UDP and stealth scan detection for TCP, you may
  116. # want to disable blocking, but leave the warning enabled.
  117. # I personally would wait for this to become a problem before
  118. # doing though as most attackers really aren't doing this.
  119. # The third option allows you to run just the external command
  120. # in case of a scan to have a pager script or such execute
  121. # but not drop the route. This may be useful for some admins
  122. # who want to block TCP, but only want pager/e-mail warnings
  123. # on UDP, etc.
  124. #
  125. #
  126. # 0 = Do not block UDP/TCP scans.
  127. # 1 = Block UDP/TCP scans.
  128. # 2 = Run external command only (KILL_RUN_CMD)
  129.  
  130. BLOCK_UDP="1"
  131. BLOCK_TCP="1"
  132.  
  133. ###################
  134. # Dropping Routes:#
  135. ###################
  136. # This command is used to drop the route or add the host into
  137. # a local filter table.
  138. #
  139. # The gateway (333.444.555.666) should ideally be a dead host on
  140. # the *local* subnet. On some hosts you can also point this at
  141. # localhost (127.0.0.1) and get the same effect. NOTE THAT
  142. # 333.444.555.66 WILL *NOT* WORK. YOU NEED TO CHANGE IT!!
  143. #
  144. # ALL KILL ROUTE OPTIONS ARE COMMENTED OUT INITIALLY. Make sure you
  145. # uncomment the correct line for your OS. If you OS is not listed
  146. # here and you have a route drop command that works then please
  147. # mail it to me so I can include it. ONLY ONE KILL_ROUTE OPTION
  148. # CAN BE USED AT A TIME SO DON'T UNCOMMENT MULTIPLE LINES.
  149. #
  150. # NOTE: The route commands are the least optimal way of blocking
  151. # and do not provide complete protection against UDP attacks and
  152. # will still generate alarms for both UDP and stealth scans. I
  153. # always recommend you use a packet filter because they are made
  154. # for this purpose.
  155. #
  156.  
  157. # Generic
  158. #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
  159.  
  160. # Generic Linux
  161. #KILL_ROUTE="/sbin/route add -host $TARGET$ gw 333.444.555.666"
  162.  
  163. # Newer versions of Linux support the reject flag now. This
  164. # is cleaner than the above option.
  165. #KILL_ROUTE="/sbin/route add -host $TARGET$ reject"
  166.  
  167. # Generic BSD (BSDI, OpenBSD, NetBSD, FreeBSD)
  168. #KILL_ROUTE="/sbin/route add $TARGET$ 333.444.555.666"
  169.  
  170. # Generic Sun
  171. #KILL_ROUTE="/usr/sbin/route add $TARGET$ 333.444.555.666 1"
  172.  
  173. # NEXTSTEP
  174. #KILL_ROUTE="/usr/etc/route add $TARGET$ 127.0.0.1 1"
  175.  
  176. # FreeBSD
  177. #KILL_ROUTE="route add -net $TARGET$ -netmask 255.255.255.255 127.0.0.1 -blackhole"
  178.  
  179. # Digital UNIX 4.0D (OSF/1 / Compaq Tru64 UNIX)
  180. #KILL_ROUTE="/sbin/route add -host -blackhole $TARGET$ 127.0.0.1"
  181.  
  182. # Generic HP-UX
  183. #KILL_ROUTE="/usr/sbin/route add net $TARGET$ netmask 255.255.255.0 127.0.0.1"
  184.  
  185. ##
  186. # Using a packet filter is the PREFERRED. The below lines
  187. # work well on many OS's. Remember, you can only uncomment *one*
  188. # KILL_ROUTE option.
  189. ##
  190.  
  191. # ipfwadm support for Linux
  192. #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$ -o"
  193. #
  194. # ipfwadm support for Linux (no logging of denied packets)
  195. #KILL_ROUTE="/sbin/ipfwadm -I -i deny -S $TARGET$"
  196. #
  197. # ipchain support for Linux
  198. #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY -l"
  199. #
  200. # ipchain support for Linux (no logging of denied packets)
  201. #KILL_ROUTE="/sbin/ipchains -I input -s $TARGET$ -j DENY"
  202. #
  203. # iptables support for Linux
  204. KILL_ROUTE="/sbin/iptables -I INPUT -s $TARGET$ -j DROP"
  205. #
  206. # iptables support for Linux (xtables-addons)
  207. #KILL_ROUTE="/sbin/iptables -I INPUT -p tcp -s $TARGET$ -j TARPIT"
  208. #
  209. # For those of you running FreeBSD (and compatible) you can
  210. # use their built in firewalling as well.
  211. #
  212. #KILL_ROUTE="/sbin/ipfw add 1 deny all from $TARGET$:255.255.255.255 to any"
  213. #
  214. #
  215. # For those running ipfilt (OpenBSD, etc.)
  216. # NOTE THAT YOU NEED TO CHANGE external_interface TO A VALID INTERFACE!!
  217. #
  218. #KILL_ROUTE="/bin/echo 'block in log on external_interface from $TARGET$/32 to any' | /sbin/ipf -f -"
  219.  
  220.  
  221. ###############
  222. # TCP Wrappers#
  223. ###############
  224. # This text will be dropped into the hosts.deny file for wrappers
  225. # to use. There are two formats for TCP wrappers:
  226. #
  227. # Format One: Old Style - The default when extended host processing
  228. # options are not enabled.
  229. #
  230. KILL_HOSTS_DENY="ALL: $TARGET$"
  231.  
  232. # Format Two: New Style - The format used when extended option
  233. # processing is enabled. You can drop in extended processing
  234. # options, but be sure you escape all '%' symbols with a backslash
  235. # to prevent problems writing out (i.e. \%c \%h )
  236. #
  237. #KILL_HOSTS_DENY="ALL: $TARGET$ : DENY"
  238.  
  239. ###################
  240. # External Command#
  241. ###################
  242. # This is a command that is run when a host connects, it can be whatever
  243. # you want it to be (pager, etc.). This command is executed before the
  244. # route is dropped or after depending on the KILL_RUN_CMD_FIRST option below
  245. #
  246. #
  247. # I NEVER RECOMMEND YOU PUT IN RETALIATORY ACTIONS AGAINST THE HOST SCANNING
  248. # YOU!
  249. #
  250. # TCP/IP is an *unauthenticated protocol* and people can make scans appear out
  251. # of thin air. The only time it is reasonably safe (and I *never* think it is
  252. # reasonable) to run reverse probe scripts is when using the "classic" -tcp mode.
  253. # This mode requires a full connect and is very hard to spoof.
  254. #
  255. # The KILL_RUN_CMD_FIRST value should be set to "1" to force the command
  256. # to run *before* the blocking occurs and should be set to "0" to make the
  257. # command run *after* the blocking has occurred.
  258. #
  259. #KILL_RUN_CMD_FIRST = "1"
  260. #
  261. #
  262. #KILL_RUN_CMD="/some/path/here/script $TARGET$ $PORT$"
  263.  
  264.  
  265. #####################
  266. # Scan trigger value#
  267. #####################
  268. # Enter in the number of port connects you will allow before an
  269. # alarm is given. The default is 0 which will react immediately.
  270. # A value of 1 or 2 will reduce false alarms. Anything higher is
  271. # probably not necessary. This value must always be specified, but
  272. # generally can be left at 0.
  273. #
  274. # NOTE: If you are using the advanced detection option you need to
  275. # be careful that you don't make a hair trigger situation. Because
  276. # Advanced mode will react for *any* host connecting to a non-used
  277. # below your specified range, you have the opportunity to really
  278. # break things. (i.e someone innocently tries to connect to you via
  279. # SSL [TCP port 443] and you immediately block them). Some of you
  280. # may even want this though. Just be careful.
  281. #
  282. SCAN_TRIGGER="0"
  283.  
  284. ######################
  285. # Port Banner Section#
  286. ######################
  287. #
  288. # Enter text in here you want displayed to a person tripping Kalasag.
  289. # I *don't* recommend taunting the person as this will aggravate them.
  290. # Leave this commented out to disable the feature
  291. #
  292. # Stealth scan detection modes don't use this feature
  293. #
  294. #PORT_BANNER="** UNAUTHORIZED ACCESS PROHIBITED *** YOUR CONNECTION ATTEMPT HAS BEEN LOGGED. GO AWAY."
  295.  
  296. # EOF
  297.  
BZ2
Auto-generated tar archives of git commits on the current branch are here.
Filedrop
download filekalasag.git-97c89e1.tar.bz2
20.82 KB
12 downloads
download filekalasag.git-1141d13.tar.bz2
20.65 KB
559 downloads
download filekalasag.git-ee3c17b.tar.bz2
20.65 KB
535 downloads
download filekalasag.git-4032c54.tar.bz2
20.63 KB
7 downloads
download filekalasag.git-e51a2a6.tar.bz2
20.65 KB
8 downloads
download filekalasag.git-599c93a.tar.bz2
20.63 KB
6 downloads
download filekalasag.git-acdc640.tar.bz2
20.63 KB
8 downloads
ZIP
Friday, Aug 26, 2011, 3:47 AM
Auto-generated zip archives of git commits on the current branch are here.
Filedrop
download filekalasag.git-97c89e1.zip
25.68 KB
8 downloads
download filekalasag.git-1141d13.zip
25.37 KB
8 downloads
download filekalasag.git-ee3c17b.zip
25.34 KB
7 downloads
download filekalasag.git-4032c54.zip
25.13 KB
10 downloads
download filekalasag.git-e51a2a6.zip
25.13 KB
10 downloads
download filekalasag.git-599c93a.zip
25.11 KB
1326 downloads
download filekalasag.git-acdc640.zip
25.10 KB
10 downloads