diff options
author | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
---|---|---|
committer | V3n3RiX <venerix@redcorelinux.org> | 2017-10-09 18:53:29 +0100 |
commit | 4f2d7949f03e1c198bc888f2d05f421d35c57e21 (patch) | |
tree | ba5f07bf3f9d22d82e54a462313f5d244036c768 /net-analyzer/portsentry |
reinit the tree, so we can have metadata
Diffstat (limited to 'net-analyzer/portsentry')
-rw-r--r-- | net-analyzer/portsentry/Manifest | 13 | ||||
-rw-r--r-- | net-analyzer/portsentry/files/portsentry-1.2-conf.patch | 17 | ||||
-rw-r--r-- | net-analyzer/portsentry/files/portsentry-1.2-config.h.patch | 11 | ||||
-rw-r--r-- | net-analyzer/portsentry/files/portsentry-1.2-gcc.patch | 12 | ||||
-rw-r--r-- | net-analyzer/portsentry/files/portsentry-1.2-ignore.csh.patch | 11 | ||||
-rw-r--r-- | net-analyzer/portsentry/files/portsentry.8 | 151 | ||||
-rw-r--r-- | net-analyzer/portsentry/files/portsentry.conf.5 | 217 | ||||
-rw-r--r-- | net-analyzer/portsentry/files/portsentry.confd | 12 | ||||
-rw-r--r-- | net-analyzer/portsentry/files/portsentry.rc6 | 38 | ||||
-rw-r--r-- | net-analyzer/portsentry/metadata.xml | 11 | ||||
-rw-r--r-- | net-analyzer/portsentry/portsentry-1.2-r1.ebuild | 43 |
11 files changed, 536 insertions, 0 deletions
diff --git a/net-analyzer/portsentry/Manifest b/net-analyzer/portsentry/Manifest new file mode 100644 index 000000000000..55b4b539b908 --- /dev/null +++ b/net-analyzer/portsentry/Manifest @@ -0,0 +1,13 @@ +AUX portsentry-1.2-conf.patch 649 SHA256 1550b5693445d574142e1c381b57d01c24367c320967320f6a6c5402be7f419b SHA512 b034ff032ba9d61f4dbc9a379b2ca71d691870df0cc4ec069d168a7d47fdf9a409cca32fc5cf9f04d1e1f69ac3695a9bef65a9c1a0c771095d74623b2d0cc92f WHIRLPOOL d7fc504e47035897b56a3f13037b517aa055aae00dc03664f1f5d125483a1ffe42157fab4b15590572fb00e300ea9ad2fca98fdd44e7770c40e0d0ac39dc9d7a +AUX portsentry-1.2-config.h.patch 403 SHA256 341514e34eac1ec339c99ef0b2123b44038772ecc288c49932af6b07b1308a70 SHA512 7c4b8c0f96a126d1ba88a754867c7e0d717198aad5c641409f99f215e98b91db479f271e27b614364dce1814efe558991d2b06de9e958443d75ab0fe7a62f673 WHIRLPOOL 9d9c1e3fc335673dcc248199c4de5e4057ef76b758cb90d56c44b8d61d78cbefa02c41d093ac012825aa3eb410b9931bb973095219297fdac9655560d184f89a +AUX portsentry-1.2-gcc.patch 471 SHA256 32065a060e1c0502d6c4f8101db6adf95dc1df51265279590b1c427ddc4be744 SHA512 f0bc3dee493e8fe465f938c7f141e77898c6cb9237c275e2d64aef5dde4286f61b37c2ad8d1f6b7b3ca5836f4b3c5a6ddcd7f6ae4718350fcdc82587a440342a WHIRLPOOL eb4fd1b7f9dd14eb09d5a830c8ad7b3d3d911d7534c3b8dde1d0eece900e967fae51893752dedb93ef98d3db74eb59f3f7d6f4d93b07eb053732846748602968 +AUX portsentry-1.2-ignore.csh.patch 240 SHA256 f3965f66bfcfa9197227f77233b94fad0c66f61096dd738e86ec2eb97527162c SHA512 8367e2967dffb8e16d76177100380893984868a8d147a14fc2eec853dcd21b148acc9f3d76cebe5a1e8fefb6cac6325c9ac8f1585344e464282246ec9b919ae7 WHIRLPOOL ecddd79825cc11c70897f1733e661c074a90d09f9511e01c3d407d313a934c8ce9d25c1fb6bed8984549ef57263446342d168a01d3e4c27ceaefb78a74767765 +AUX portsentry.8 4227 SHA256 17808d97d48d663cc3b3ae9c13f2c514261cb6e017bb48793d963760843cf698 SHA512 95cf13ee1cc9e8d422adf6d43232fe16e1728d5b1280c1e1c07cc01ddfef1854f49d76600426cde5e91d771cd1b1d0cd68a0d82c912de4d7bd001ed29d11b805 WHIRLPOOL c1f71e72ca4b97c3a0473c17988e7a27f8ad2bc8c666ba9221782624a3cee546e5cb2e85d5445a7931b34d13a30ab5df98e07c5419020dd1cff20f577650c81a +AUX portsentry.conf.5 8385 SHA256 bf56374c8563ade5d975c253e5e9b5b6c5b43f6f9f17395b5fc1cc851d339bc0 SHA512 f91872244be26ba802845b326445904b1e7adc059c90e38883ffbaf6e43ca1c48dd1e0dbe15ef0b194e41a6ded9471bdc70d94dc235bc9310a90baa03e789e1a WHIRLPOOL 4288d003c660715dc6e300c172a8f7015718ce8be1cecffd97376cfdb41eef5920c930f15394c2f1d9bfb6bffcbe04ea521b68ff4164239e7b1adb877dbd5579 +AUX portsentry.confd 361 SHA256 e10504cb2600515abe34df575e88ba2b1135dce3f5c0a5a08558f332884d7bb3 SHA512 a3a7f1f6b74d7d0dd3f33b0f1a787ab013d2aae8b46e41993b4589cf8b75299a18ac2542e67d448edfdcb32e264e5c45e136ef27e039b160da0d77c7e4a2a255 WHIRLPOOL 9b2ed017e88696bb98275e728f2d4f848f64cde4a9b54d246143017bfa5136efed6b9e8e788b4cad34bd393891be5841990666dc9f4f14fa9d02c333f83f1123 +AUX portsentry.rc6 842 SHA256 3f981c51c7b9d666392206052473d0fecd8a7a8a91de0451364c6a38ba8aeac1 SHA512 85695ccf2fee0fb056c3c8e56682787adb808bd7e72450319cc19a88a26f681c1b6aaa90e39d288afaec34904923115ed24884af244fdfe177e82f7def822d7e WHIRLPOOL 5c89d5da94c85ba2ed4534ae35fc460f64e502ffe3aa8a436d39edb60fd9d9d0cffeab3280c0440039af7c7324f72c1257e410f832b3cabd26080c52ff240797 +DIST portsentry-1.2.tar.gz 48054 SHA256 dd1edcfcf2d9db7b5722de4f1da36ae45703bf05917af657ab6f7491be7fa52e SHA512 bcbea576816c654a9e165897ea51de3a4dde2940b05e26e785315fae5a5c7a0f697abfa2ace14d16e687e4a26f37c75cdaffefa1c5f98681f858dda22bcf3dae WHIRLPOOL 109a89bccb034dde0eea9c383aec7ce2dc58be34b5f71ded782e61cb632e20d59f0c5b63493cdb14400d31fe34b57c1f8006b081eb86219e1b44ee28e02d4fff +EBUILD portsentry-1.2-r1.ebuild 1153 SHA256 e3af9cc7d0fc8c4e8c06db102080e864f18cc8fa5a36e27eccd7d48403ee27d3 SHA512 0706e2636c4ddc0240d63ab3307493714f6e2536ec0063b63210570ea8089787c62929504dd1fb49697e6845ad6d0111a05441f62e506768f52e1d6432d4ff21 WHIRLPOOL 2ec069e4fb3accf1ea6ead2773b34b2b420460aeb843a87ac7cd45646341c070144744a6d21e675459966ca63d2f979684ded82793b40c099d730515b2bddc25 +MISC ChangeLog 2935 SHA256 ae74ba853419567b28f8b4992b3055c5e8167514095a7d467f5fc52ba250e88f SHA512 ed2fbb43cd909054d86f8c8ccbe097f9231efd8fc60b22bf36b059ca20504a6fade828ba420ba466c37c802928d4c32b7df2ac6cfc42cc9169b312ce64d0903e WHIRLPOOL 8abb2b3ce8d30b99532ca12712348a895cd4269215d9c12e2985a27e7f772a6da73821d5f11071fd3c39096fdfd8c290ce66a2a85e9c97fb04d180aa1d2637e9 +MISC ChangeLog-2015 4051 SHA256 c605040e5916582d12eac7664b259a896154b82b5c923a5254ec9e743088f025 SHA512 ce81554aa4cf1431ffd9b15d3eceebf3fadc197ee0ec3f890a7e214f0faf93fdc1a5d60aedb6d83fe9472d75bc40ba365eb3d7810c871f81bc59efb0ea155287 WHIRLPOOL 653e96b96a4fff20c0cd35f805415cbe75beb851496c0b002dffac1c3014cbc49c60a86783dcf2476b670b767075c68a245c7aecf8c7960d28dabba10e75ec56 +MISC metadata.xml 361 SHA256 4c9a7fd2e95cc349c18291a63284ed77d4ae0dacac17e9ead47b99c7de912d7d SHA512 91dd94a52a85cf7d62f5ae1ccb5783b3c7c3b4ad513c1a2c9324bb3b79116504d1a59039d85c0c2adef55a9fe3ace9b533ce97f677c38cf19846e98c5df4abfb WHIRLPOOL 8841ec40e03aaeb0e1b8276f26a4b95d886cbc5c69e47173af5c8ad6630ab7f817748f1444e54ed1cb04252d3258e279bfcdb939a43a3d535922757f19548890 diff --git a/net-analyzer/portsentry/files/portsentry-1.2-conf.patch b/net-analyzer/portsentry/files/portsentry-1.2-conf.patch new file mode 100644 index 000000000000..54f78fb467bc --- /dev/null +++ b/net-analyzer/portsentry/files/portsentry-1.2-conf.patch @@ -0,0 +1,17 @@ +--- a/portsentry.conf ++++ b/portsentry.conf +@@ -80,11 +80,11 @@ + ###################### + # + # Hosts to ignore +-IGNORE_FILE="/usr/local/psionic/portsentry/portsentry.ignore" ++IGNORE_FILE="/etc/portsentry/portsentry.ignore" + # Hosts that have been denied (running history) +-HISTORY_FILE="/usr/local/psionic/portsentry/portsentry.history" ++HISTORY_FILE="/etc/portsentry/portsentry.history" + # Hosts that have been denied this session only (temporary until next restart) +-BLOCKED_FILE="/usr/local/psionic/portsentry/portsentry.blocked" ++BLOCKED_FILE="/etc/portsentry/portsentry.blocked" + + ############################## + # Misc. Configuration Options# diff --git a/net-analyzer/portsentry/files/portsentry-1.2-config.h.patch b/net-analyzer/portsentry/files/portsentry-1.2-config.h.patch new file mode 100644 index 000000000000..28c02b85e5af --- /dev/null +++ b/net-analyzer/portsentry/files/portsentry-1.2-config.h.patch @@ -0,0 +1,11 @@ +--- a/portsentry_config.h ++++ b/portsentry_config.h +@@ -22,7 +22,7 @@ + + /* These are probably ok. Be sure you change the Makefile if you */ + /* change the path */ +-#define CONFIG_FILE "/usr/local/psionic/portsentry/portsentry.conf" ++#define CONFIG_FILE "/etc/portsentry/portsentry.conf" + + /* The location of Wietse Venema's TCP Wrapper hosts.deny file */ + #define WRAPPER_HOSTS_DENY "/etc/hosts.deny" diff --git a/net-analyzer/portsentry/files/portsentry-1.2-gcc.patch b/net-analyzer/portsentry/files/portsentry-1.2-gcc.patch new file mode 100644 index 000000000000..613808fe7225 --- /dev/null +++ b/net-analyzer/portsentry/files/portsentry-1.2-gcc.patch @@ -0,0 +1,12 @@ +--- a/portsentry.c ++++ b/portsentry.c +@@ -1581,8 +1581,7 @@ + Usage (void) + { + printf ("PortSentry - Port Scan Detector.\n"); +- printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot +-sourceforget dot net>\n"); ++ printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at users dot sourceforget dot net>\n"); + printf ("Licensing restrictions apply. Please see documentation\n"); + printf ("Version: %s\n\n", VERSION); + #ifdef SUPPORT_STEALTH diff --git a/net-analyzer/portsentry/files/portsentry-1.2-ignore.csh.patch b/net-analyzer/portsentry/files/portsentry-1.2-ignore.csh.patch new file mode 100644 index 000000000000..ec45dd1daac7 --- /dev/null +++ b/net-analyzer/portsentry/files/portsentry-1.2-ignore.csh.patch @@ -0,0 +1,11 @@ +--- a/ignore.csh ++++ b/ignore.csh +@@ -35,7 +35,7 @@ + endif + + # Safe directory +-set SENTRYDIR=/usr/local/psionic/portsentry ++set SENTRYDIR=/etc/portsentry + set TMPFILE=portsentry.ignore.tmp + + if (-f $SENTRYDIR/portsentry.ignore) then diff --git a/net-analyzer/portsentry/files/portsentry.8 b/net-analyzer/portsentry/files/portsentry.8 new file mode 100644 index 000000000000..7c9d6a617262 --- /dev/null +++ b/net-analyzer/portsentry/files/portsentry.8 @@ -0,0 +1,151 @@ +.TH PORTSENTRY 8 +.\" NAME should be all caps, SECTION should be 1-8, maybe w/ subsection +.\" other parms are allowed: see man(7), man(1) +.SH NAME +portsentry \- detect portscan activity +.SH SYNOPSIS +.B portsentry +.I "[ \-tcp | \-stcp | \-atcp ]" +.br +.B portsentry +.I "[ \-udp | \-sudp | \-audp ]" +.SH "DESCRIPTION" +This manual page documents briefly the +.BR portsentry +command. +This manual page was written for the Debian GNU/Linux distribution +because the original program does not have a manual page. +.PP +.B portsentry +is a program that tries to detect portscans on network interfaces with the ability to detect stealth scans. On alarm portsentry can block the scanning machine via hosts.deny (see +.BR hosts_access (5), +firewall rule (see +.BR ipfwadm (8) , +.BR ipchains (8) +and +.BR iptables (8)) +or dropped route (see +.BR route (8)). +.SH OPTIONS +For details on the various modes see +.I /usr/doc/portsentry/README.install +. +.TP +.B \-tcp +tcp portscan detection on ports specified under +.I TCP_PORTS +in the config file +.IR /etc/portsentry/portsentry.conf . +.TP +.B \-stcp +As above but additionally detect stealth scans. +.TP +.B \-atcp +Advanced tcp or inverse mode. Portsentry binds to all unused ports below +.I ADVANCED_PORTS_TCP +given in the config file +.IR /etc/portsentry/portsentry.conf . + +.TP +.B \-udp +udp portscan detection on ports specified under +.I UDP_PORTS +in the config file +.IR /etc/portsentry/portsentry.conf . +.TP +.B \-sudp +As above but additionally detect "stealth" scans. +.TP +.B \-audp +Advanced udp or inverse mode. Portsentry binds to all unused ports below +.I ADVANCED_PORTS_UDP +given in the config file +.IR /etc/portsentry/portsentry.conf . + +.SH "CONFIGURATION FILES" +.B portsentry +keeps all its configuration files in +.BR /etc/portsentry. +.B portsentry.conf +is +.BR portsentry 's +main configuration file. See +.BR portsentry.conf (5) +for details. + +The file +.BR portsentry.ignore +contains a list of all hosts that are ignored, if they connect to a tripwired +port. It should contain at least the localhost(127.0.0.1), 0.0.0.0 and the IP addresses of all local interfaces. You can ignore whole subnets by using a notation <IP Address>/<Netmask Bits>. It is *not* recommend putting in every machine IP on your network. It may be important for you to see who is connecting to you, even if it is a "friendly" machine. This can help you detect internal host compromises faster. + +If you use the +.IR /etc/init.d/portsentry +script to start the daemon, +.BR portsentry.ignore +is rebuild on each start of the daemon using +.BR portsentry.ignore.static +and all the IP addresses found on the machine via +.BR ifconfig . + +.BR /etc/default/portsenty +specifies in which protocol modes +.B portsentry +should be startet from +.IR /etc/init.d/portsentry +There are currently two options: +.TP +.B TCP_MODE= +either +.BR tcp ", " stcp " or " atcp " (see " OPTIONS " above)." +.TP +.B UDP_MODE= +either +.BR udp ", " sudp " or " audp " (see " OPTIONS " above)." + +.PP +The options above correspond to portsentry's commandline arguments. For example +.B TCP_MODE="atcp" +has the same effect as to start portsentry using +.BR portsentry " " -atcp. +Only one mode per protocol can be started at a time (i.e. one tcp and one udp mode). + +.SH "FILES" +.BR /etc/portsentry/portsentry.conf +main configuration file +.TP +.BR /etc/portsentry/portsentry.ignore +IP addresses to ignore +.TP +.BR /etc/portsentry/portsentry.ignore.static +static IP addresses to ignore +.TP +.BR /etc/default/portsentry +startup options +.TP +.BR /etc/init.d/portsentry +script responsible for starting and stopping the daemon +.TP +.BR /var/lib/portsentry/portsentry.blocked.* +blocked hosts(cleared upon reload) +.TP +.BR /var/lib/portsentry/portsentry.history +history file +.LP +.SH "SEE ALSO" +.BR portsentry.conf(5), +.BR hosts_access(5), +.BR hosts_options(5), +.BR route(8), +.BR ipfwadm(8), +.BR ipchains(8), +.BR iptables(8), +.BR ifconfig(8) + +.BR /usr/share/doc/portsentry/README.install +.LP +.SH AUTHOR +.B portsentry +was written by Craig H. Howland +.B <crowland@users.sf.net>. + +This manual page was stitched together by Guido Guenther <agx@debian.org>, for the Debian GNU/Linux system (but may be used by others). Some parts are just a cut and paste from the original documentation. diff --git a/net-analyzer/portsentry/files/portsentry.conf.5 b/net-analyzer/portsentry/files/portsentry.conf.5 new file mode 100644 index 000000000000..314e2abb2a44 --- /dev/null +++ b/net-analyzer/portsentry/files/portsentry.conf.5 @@ -0,0 +1,217 @@ +.TH PORTSENTRY.CONF 5 +.\" NAME should be all caps, SECTION should be 1-8, maybe w/ subsection +.\" other parms are allowed: see man(7), man(1) +.SH NAME +portsentry.conf \- portsentry´s main configuration file +.SH "DESCRIPTION" +This manual page documents briefly the format of +.BR portsentry ´s(8) +configuration file. +.SH OPTIONS +.TP +.B TCP_PORTS +A comma delimited string of TCP ports you want PortSentry to +listen to. This string can NOT have any spaces in it. You can put in as +many sockets as you want. PortSentry will try to bind them all up until +the default limit of 64. + +For the stealth scan detection modes, the ports are not "bound" per se, +but they are monitored at the socket level for connections. + +For the Advanced Stealth Scan Detection (see below) this list is *ignored* +.TP +.B UDP_PORTS +The same as above, except for UDP ports. You need to be +very careful with UDP mode as an attacker can forge a port sweep and +make you block any number of hosts. Use this option with caution, or +not at all if your host is a well-known Internet connected system. + +For the Advanced Stealth Scan Detection (see below) this list is *ignored* + +.TP +.B ADVANCED_PORTS_TCP +A number indicating the highest port number to +monitor down from. Any port *below* this number is then monitored. The +default is 1024 (reserved port range), but can be made as large as 65535 +(system max). I don't recommend going over 1024 with this option. + +.TP +.B ADVANCED_PORTS_UDP +Same as above, except for UDP. + +.TP +.B ADVANCED_EXCLUDE_TCP +A comma delimited string of TCP ports that should +be manually excluded from monitoring in Advanced mode. These are normally +ports that may get hit by mistake by remote clients and shouldn't cause +alarms (ident, SSL, etc). + +.TP +.B ADVANCED_EXCLUDE_UDP +Same as above, except for UDP. + +.TP +.B IGNORE_FILE +The path to the file that contains IP addresses of hosts you +want to always be ignored. + +.TP +.B BLOCKED_FILE +The path to the file that contains the IP addresses of +blocked hosts. + +.TP +.B RESOLVE_HOST - This option turns off DNS resolution for +hosts. If you have a slow DNS server it may be more effective +to turn off resolution. + +.TP +.B BLOCK_UDP +This option disables all automatic responses to UDP probes. +Because UDP can be easily forged, it may allow an attacker to start a +denial of service attack against the protected host, causing it to block +all manner of hosts that should normally be left alone. Setting this option +to "0" will disable all responses, although the connects are still logged. +This option is mainly useful for Internet exposed hosts. For internal hosts +you should leave this enabled. If someone internally is firing spoofed +packets at you, then you have a much bigger problem than a denial of service. + +.TP +.B BLOCK_TCP +Same as above, but for TCP. Packet forgery is not as big a problem +though because PortSentry waits for a full connect to occur and this is much +harder to forge in the basic modes. Leave this enabled, even for +Internet connected hosts. For stealth scan detection modes the UDP warning +applies: + + An attacker can cause you to block hosts you don't want to + through packet forgery. I wouldn't worry about this until it is a + problem, but you should be aware of it. + +.TP +.B KILL_ROUTE +This is the command to run to drop the offending route(see +.BR route (8)) +if an attack is detected. This is the *full path* to the route command +along with the necessary parameters to make the command work. The macro +.B $TARGET$ +will be substituted with the attacking host IP and is +REQUIRED in this option. Your gateway should be a *dead host* on the +local subnet. On some systems though you can just put in the localhost +address (127.0.0.1) and this will probably work. All packets from the +target host will get routed to this address so don't mess this up. +More modern route commands will include a "-blackhole" or "-reject" flag. +Check your man(1) pages and if your route command supports this feature +you should use it (although we recommend using packet filtering +instead, see below). + +Also be aware that this creates what is known as an "asynchronous +route" which basically means packets enter your host via one route +and are sent out on another (dead) route. This works OK for full +TCP connect requests, but for UDP and stealth scan modes it +still allows packets to activate PortSentry and you may get a +series of "already blocked" alarms by PortSentry. For UDP scans +this method prevents ICMP messages from returning to the attacker +so all ports appear open. However, if the attacker is performing +an actual exploit with UDP the drop route method will not work. +The asynchronous route allows the packet to hit the system and the +attacker could perform a "blind" attack with UDP if they know what +the responses are going to be. + +By far the best method is to use the local packet filter (see +.BR ipfwadm (8), +.BR ipchains (8), +or +.BR iptables (8)). +This is a much cleaner solution and is +detailed in the config file. The macro +.B $PORT$ +will substitute the port +that was connected to by the attacker, but this is NOT required for this +option. The macro $MODE$ reports what mode the blocking occurred in +(tcp, udp, stcp, sudp, atcp, audp) but is also NOT required. + +.TP +.B KILL_HOSTS_DENY +This is the format of the string to drop into the +hosts.deny file that TCP wrappers uses(see +.BR hosts_access (5), +and +.BR hosts_options (5)). +Again the +.B $TARGET$ +macro is +expanded out to be the IP of the attacker and is required. You can +also drop in any TCP wrapper escape codes here as well (%h, twist, +etc). The macro +.B $PORT$ +will substitute the port that was connected to +by the attacker, but this is NOT required for this option. +The macro $MODE$ reports what mode the blocking occurred in +(tcp, udp, stcp, sudp, atcp, audp) but is also NOT required. + +.TP +.B KILL_RUN_CMD +This is a command you want run *before* the route +is dropped to the attacker. You can put in any program/script you want +executed when an attack is detected. WE NEVER RECOMMEND PUTTING IN +RETALIATORY ACTION AGAINST AN ATTACKING HOST. Virtually every time you're +are port scanned the host doing the scanning has been compromised itself. +Therefore, if you retaliate you are probably attacking an innocent(?) +party. Also the goal of security is to make the person GO AWAY. You don't +want to irritate them into making a personal vendetta against you. +Remember, even a 13 year old can run a [insert favorite D.O.S. program +here] attack against you from their Windows box to make your life +miserable. As above, the +.BR $TARGET$ , +.B $PORT$ +and +.B $MODE$ +macros are available to you but they are not required with this option as above. + +.TP +.B KILL_RUN_CMD_FIRST +Setting this to "1" makes the command above run before the route is +dropped. Setting it to "0" makes the command run aftter the blocking +has occurred. + +.TP +.B SCAN_TRIGGER +PortSentry has a state engine that will remember hosts +that connected to it. Setting this value will tell PortSentry to allow X +number of grace port hits before it reacts. This will detect both +sequential and random port sweeps. The default is 0 which will react +immediately. A setting of 1 or 2 will reduce false alarms, anything +higher is probably too much as anything more than 3 hits to different +ports is pretty suspicious behavior. Usually you can leave this at 0 +without any consequence, with the exception of Advanced stealth scan +detection modes where you may create a "hair trigger" if you aren't +careful. Use your own discretion. + +.TP +.B PORT_BANNER +A text banner you want displayed to the connecting host if +the PortSentry is activated. Leave this commented out if you don't want this +feature. If you do use it, try not to taunt the person too badly. We +recommend keeping it professional and to the point. The banner is *not* +displayed when stealth scan detection modes are used. + +.LP +.SH "SEE ALSO" +.BR portsentry(8), +.BR hosts_access(5), +.BR hosts_options(5), +.BR route(8), +.BR ipfwadm(8), +.BR ipchains(8) + +.BR /usr/share/doc/portsentry/README.install +.LP +.SH AUTHOR +.B portsentry +was written by Craig H. Howland +.B <crowland@users.sf.net>. + +This manual page is essentially just a "cut and paste" from the README.install file and was done by Guido Guenther <agx@debian.org>(hopefully without adding too many errors), for the Debian GNU/Linux system (but may be used by others). + + diff --git a/net-analyzer/portsentry/files/portsentry.confd b/net-analyzer/portsentry/files/portsentry.confd new file mode 100644 index 000000000000..49729516ef7c --- /dev/null +++ b/net-analyzer/portsentry/files/portsentry.confd @@ -0,0 +1,12 @@ +# Config file for /etc/init.d/portsentry +# +# This file is read by /etc/init.d/portsentry. See the portsentry.8 +# manpage for details. +# +# The options in this file refer to commandline arguments (all in lowercase) +# of portsentry. Use only one tcp and udp mode at a time. +# + +#PORTSENTRY_MODES="udp tcp" +#PORTSENTRY_MODES="stcp sudp" +#PORTSENTRY_MODES="atcp audp"
\ No newline at end of file diff --git a/net-analyzer/portsentry/files/portsentry.rc6 b/net-analyzer/portsentry/files/portsentry.rc6 new file mode 100644 index 000000000000..1d89be401ada --- /dev/null +++ b/net-analyzer/portsentry/files/portsentry.rc6 @@ -0,0 +1,38 @@ +#!/sbin/openrc-run +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +# NB: Config is in /etc/conf.d/portsentry + +depend() { + need net +} + +checkconfig() { + if [ ! -e /etc/portsentry/portsentry.conf ] ; then + eerror "You need an /etc/portsentry/portsentry.conf file" + eerror "There is a sample in /usr/share/doc/portsentry" + return 1 + fi + if [ -z "$PORTSENTRY_MODES" ] ; then + eerror "You need to setup your PORTSENTRY_MODES first" + eerror "Check /etc/conf.d/portsentry that you've enabled some or all of them" + return 1 + fi +} + +start() { + checkconfig || return 1 + ebegin "Starting portsentry" + for mode in $PORTSENTRY_MODES ; do + /usr/bin/portsentry -$mode + result=$(( $result + $? )) + done + eend $result +} + +stop() { + ebegin "Stopping portsentry" + killall portsentry + eend $? +} diff --git a/net-analyzer/portsentry/metadata.xml b/net-analyzer/portsentry/metadata.xml new file mode 100644 index 000000000000..99bfe72a50cf --- /dev/null +++ b/net-analyzer/portsentry/metadata.xml @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> + <maintainer type="project"> + <email>netmon@gentoo.org</email> + <name>Gentoo network monitoring and analysis project</name> + </maintainer> + <upstream> + <remote-id type="sourceforge">sentrytools</remote-id> + </upstream> +</pkgmetadata> diff --git a/net-analyzer/portsentry/portsentry-1.2-r1.ebuild b/net-analyzer/portsentry/portsentry-1.2-r1.ebuild new file mode 100644 index 000000000000..29e14b375300 --- /dev/null +++ b/net-analyzer/portsentry/portsentry-1.2-r1.ebuild @@ -0,0 +1,43 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=5 +inherit eutils toolchain-funcs + +DESCRIPTION="Automated port scan detector and response tool" +# Seems like CISCO took the site down? +HOMEPAGE="https://sourceforge.net/projects/sentrytools/" +SRC_URI="mirror://sourceforge/sentrytools/${P}.tar.gz" + +SLOT="0" +LICENSE="GPL-2" +KEYWORDS="amd64 ppc x86" + +S="${WORKDIR}"/${PN}_beta + +src_prepare() { + epatch "${FILESDIR}"/${P}-conf.patch + epatch "${FILESDIR}"/${P}-config.h.patch + epatch "${FILESDIR}"/${P}-gcc.patch + epatch "${FILESDIR}"/${P}-ignore.csh.patch +} + +src_compile() { + emake CC=$(tc-getCC) CFLAGS="${CFLAGS} ${LDFLAGS}" linux +} + +src_install() { + doman "${FILESDIR}"/{portsentry.8,portsentry.conf.5} + + dobin portsentry ignore.csh + dodoc README* CHANGES CREDITS + newdoc portsentry.ignore portsentry.ignore.sample + newdoc portsentry.conf portsentry.conf.sample + + insinto /etc/portsentry + newins portsentry.ignore portsentry.ignore.sample + newins portsentry.conf portsentry.conf.sample + + newinitd "${FILESDIR}"/portsentry.rc6 portsentry + newconfd "${FILESDIR}"/portsentry.confd portsentry +} |